Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b2.0.6.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b2.0.6.exe
renamed because original name is a hash value
Original sample name:2.0.6.exe
Analysis ID:1580397
MD5:c5c5262b26879c84d470ef4a5b73663d
SHA1:c907618ac1db8f8186469e0bcfff2debc0b49fdd
SHA256:b53886e5499226b7565d65fd25ecd448f82434cac355d799ea2e39e0d822b234
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b2.0.6.exe (PID: 7936 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" MD5: C5C5262B26879C84D470EF4A5B73663D)
    • #U5b89#U88c5#U52a9#U624b2.0.6.tmp (PID: 7992 cmdline: "C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp" /SL5="$2046E,7252309,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" MD5: 65559DDD30465F50270FB7E9EE6E6C7C)
      • powershell.exe (PID: 8012 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7256 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b2.0.6.exe (PID: 7512 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" /VERYSILENT MD5: C5C5262B26879C84D470EF4A5B73663D)
        • #U5b89#U88c5#U52a9#U624b2.0.6.tmp (PID: 1132 cmdline: "C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp" /SL5="$401F4,7252309,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" /VERYSILENT MD5: 65559DDD30465F50270FB7E9EE6E6C7C)
          • 7zr.exe (PID: 2112 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 5980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 6060 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 6344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7436 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7776 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7816 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7808 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3276 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8024 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7976 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7384 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1208 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1120 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1560 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1568 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1892 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3324 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2596 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2896 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2988 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3128 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8004 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7996 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3960 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3996 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4668 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7740 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 796 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4812 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4124 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5096 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8064 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8072 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8088 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8092 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6116 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5936 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5868 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 800 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7928 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1704 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7972 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7956 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1240 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7384 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2224 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1208 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1696 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3208 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2092 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4252 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2800 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2956 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4232 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7412 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6516 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6692 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7936 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4064 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4672 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3996 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5876 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 796 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6184 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5288 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4912 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp" /SL5="$2046E,7252309,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp, ParentProcessId: 7992, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 8012, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7436, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7776, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp" /SL5="$2046E,7252309,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp, ParentProcessId: 7992, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 8012, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7436, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7776, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp" /SL5="$2046E,7252309,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp, ParentProcessId: 7992, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 8012, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\is-56EON.tmp\update.vacReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\is-7G70G.tmp\update.vacReversingLabs: Detection: 23%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 88.3% probability
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.1435534446.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.1435315137.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C82B430 FindFirstFileA,FindClose,FindClose,7_2_6C82B430
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00016868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_00016868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00017496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_00017496
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000003.1390750497.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000003.1390750497.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000003.1390750497.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000003.1390750497.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000003.1390750497.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000003.1390750497.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000003.1390750497.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000003.1390750497.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000003.1390750497.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000003.1390750497.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000003.1390750497.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000003.1390750497.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000003.1390750497.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000003.1390750497.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000003.1390750497.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000003.1390750497.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000003.1390750497.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000003.1390750497.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000003.1390750497.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exe, 00000000.00000003.1301363462.0000000003350000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.exe, 00000000.00000003.1301864148.000000007F12B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000000.1303835283.0000000000781000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000000.1394369692.0000000000D4D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp.0.dr, #U5b89#U88c5#U52a9#U624b2.0.6.tmp.6.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exe, 00000000.00000003.1301363462.0000000003350000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.exe, 00000000.00000003.1301864148.000000007F12B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000000.1303835283.0000000000781000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000000.1394369692.0000000000D4D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp.0.dr, #U5b89#U88c5#U52a9#U624b2.0.6.tmp.6.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: update.vac.2.drStatic PE information: section name: .#.q
Source: update.vac.7.drStatic PE information: section name: .#.q
Source: hrsw.vbc.7.drStatic PE information: section name: .#.q
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C835690 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,7_2_6C835690
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C6B3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C6B3886
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C6B3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C6B3C62
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C6B3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C6B3D62
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C6B3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C6B3D18
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C6B39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C6B39CF
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C6B3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C6B3A6A
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8362D0 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,7_2_6C8362D0
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C6B1950: CreateFileA,DeviceIoControl,CloseHandle,7_2_6C6B1950
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C6B4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,7_2_6C6B4754
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C6B47547_2_6C6B4754
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C6C4A277_2_6C6C4A27
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C831DF07_2_6C831DF0
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C836FB37_2_6C836FB3
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C896CE07_2_6C896CE0
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8E6D107_2_6C8E6D10
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C868EA17_2_6C868EA1
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C882EC97_2_6C882EC9
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8BAEEF7_2_6C8BAEEF
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8B48967_2_6C8B4896
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8DE8107_2_6C8DE810
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8E69007_2_6C8E6900
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8FA9307_2_6C8FA930
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8689727_2_6C868972
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8F4AA07_2_6C8F4AA0
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8C0A527_2_6C8C0A52
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8DAB907_2_6C8DAB90
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C870BCA7_2_6C870BCA
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C880B667_2_6C880B66
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8EE4D07_2_6C8EE4D0
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8E25807_2_6C8E2580
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C86C7CF7_2_6C86C7CF
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8E00207_2_6C8E0020
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8B7D437_2_6C8B7D43
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8E3D507_2_6C8E3D50
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8E9E807_2_6C8E9E80
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8C1F117_2_6C8C1F11
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8E99F07_2_6C8E99F0
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8E1AA07_2_6C8E1AA0
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8DDAD07_2_6C8DDAD0
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8DFA507_2_6C8DFA50
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C88540A7_2_6C88540A
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8EF5C07_2_6C8EF5C0
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8AF5EC7_2_6C8AF5EC
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8E96E07_2_6C8E96E0
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8DB6507_2_6C8DB650
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C9097007_2_6C909700
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8830927_2_6C883092
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8E71F07_2_6C8E71F0
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8F37507_2_6C8F3750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000581EC11_2_000581EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0002E00A11_2_0002E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000900A811_2_000900A8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000981C011_2_000981C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000A824011_2_000A8240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0008425011_2_00084250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000922E011_2_000922E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000B230011_2_000B2300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000AC3C011_2_000AC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0007E49F11_2_0007E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000A04C811_2_000A04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000925F011_2_000925F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0008865011_2_00088650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0008A6A011_2_0008A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000866D011_2_000866D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0006094311_2_00060943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0008C95011_2_0008C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000AE99011_2_000AE990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00092A8011_2_00092A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0006AB1111_2_0006AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00088C2011_2_00088C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00096CE011_2_00096CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000A0E0011_2_000A0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000A4EA011_2_000A4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0009D08911_2_0009D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000710AC11_2_000710AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000970D011_2_000970D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0007B12111_2_0007B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000A112011_2_000A1120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0008B18011_2_0008B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0009518011_2_00095180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000A91C011_2_000A91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0008D1D011_2_0008D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000A720011_2_000A7200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000AD2C011_2_000AD2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0009F3A011_2_0009F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000AF3C011_2_000AF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000153CF11_2_000153CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0003B3E411_2_0003B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000753F311_2_000753F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0008741011_2_00087410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0009F42011_2_0009F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000AD47011_2_000AD470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0005D49611_2_0005D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000A54D011_2_000A54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0008F50011_2_0008F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000B351A11_2_000B351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000A353011_2_000A3530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000A155011_2_000A1550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0001157211_2_00011572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000AF59911_2_000AF599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000B360111_2_000B3601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0006965211_2_00069652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0009D6A011_2_0009D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0002976611_2_00029766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0008379011_2_00083790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000A77C011_2_000A77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000197CA11_2_000197CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0003F8E011_2_0003F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0008F91011_2_0008F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000AD9E011_2_000AD9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00011AA111_2_00011AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0002BAC911_2_0002BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00063AEF11_2_00063AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00097AF011_2_00097AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00097C5011_2_00097C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0002BC9211_2_0002BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00095E8011_2_00095E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00095F8011_2_00095F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 000AFB10 appears 718 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 000128E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00011E40 appears 108 times
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: String function: 6C869240 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: String function: 6C906F10 appears 637 times
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp.6.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp.6.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exe, 00000000.00000000.1299773869.0000000000FB9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameHqNrI09VdzkFeYys.exe vs #U5b89#U88c5#U52a9#U624b2.0.6.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exe, 00000000.00000003.1301363462.000000000346E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameHqNrI09VdzkFeYys.exe vs #U5b89#U88c5#U52a9#U624b2.0.6.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exe, 00000000.00000003.1301864148.000000007F42A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameHqNrI09VdzkFeYys.exe vs #U5b89#U88c5#U52a9#U624b2.0.6.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exeBinary or memory string: OriginalFileNameHqNrI09VdzkFeYys.exe vs #U5b89#U88c5#U52a9#U624b2.0.6.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.13.drBinary string: \Device\TfSysMon
Source: tProtect.dll.13.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal88.evad.winEXE@142/33@0/0
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8362D0 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,7_2_6C8362D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00019313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,11_2_00019313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00023D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_00023D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00019252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,11_2_00019252
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8357B0 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,7_2_6C8357B0
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpFile created: C:\Program Files (x86)\Windows NT\is-B08G0.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1708:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6920:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4236:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5980:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2316:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4240:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6508:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3784:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4768:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1900:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4620:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5976:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5024:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7184:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1528:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1200:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1636:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5084:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2176:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3952:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7436:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7968:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6244:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6972:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1836:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3136:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4508:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4140:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4016:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7916:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8016:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2916:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exeFile created: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exeProcess created: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp "C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp" /SL5="$2046E,7252309,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe"
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp "C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp" /SL5="$401F4,7252309,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exeProcess created: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp "C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp" /SL5="$2046E,7252309,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp "C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp" /SL5="$401F4,7252309,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exeStatic file information: File size 8206704 > 1048576
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.1435534446.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.1435315137.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000957D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_000957D0
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp.6.drStatic PE information: real checksum: 0x0 should be: 0x3438fd
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exeStatic PE information: real checksum: 0x0 should be: 0x7dfa3a
Source: update.vac.7.drStatic PE information: real checksum: 0x0 should be: 0x378c79
Source: update.vac.2.drStatic PE information: real checksum: 0x0 should be: 0x378c79
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x3438fd
Source: hrsw.vbc.7.drStatic PE information: real checksum: 0x0 should be: 0x378c79
Source: tProtect.dll.13.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.2.drStatic PE information: section name: .00cfg
Source: update.vac.2.drStatic PE information: section name: .voltbl
Source: update.vac.2.drStatic PE information: section name: .#.q
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp.6.drStatic PE information: section name: .didata
Source: 7zr.exe.7.drStatic PE information: section name: .sxdata
Source: update.vac.7.drStatic PE information: section name: .00cfg
Source: update.vac.7.drStatic PE information: section name: .voltbl
Source: update.vac.7.drStatic PE information: section name: .#.q
Source: hrsw.vbc.7.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.7.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.7.drStatic PE information: section name: .#.q
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C838C5B push ecx; ret 7_2_6C838C6E
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C6E0F00 push ss; retn 0001h7_2_6C6E0F0A
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C906F10 push eax; ret 7_2_6C906F2E
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C86B9F4 push 004AC35Ch; ret 7_2_6C86BA0E
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C907290 push eax; ret 7_2_6C9072BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000145F4 push 000BC35Ch; ret 11_2_0001460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000AFB10 push eax; ret 11_2_000AFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000AFE90 push eax; ret 11_2_000AFEBE
Source: update.vac.2.drStatic PE information: section name: .#.q entropy: 7.193027440134885
Source: update.vac.7.drStatic PE information: section name: .#.q entropy: 7.193027440134885
Source: hrsw.vbc.7.drStatic PE information: section name: .#.q entropy: 7.193027440134885
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-7G70G.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-56EON.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-7G70G.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-56EON.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exeFile created: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exeFile created: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-56EON.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-7G70G.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6637Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3223Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpWindow / User API: threadDelayed 573Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpWindow / User API: threadDelayed 580Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpWindow / User API: threadDelayed 559Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7G70G.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-56EON.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7G70G.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-56EON.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.6 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7184Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C82B430 FindFirstFileA,FindClose,FindClose,7_2_6C82B430
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00016868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_00016868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00017496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_00017496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00019C60 GetSystemInfo,11_2_00019C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C6B3886 NtSetInformationThread 00000000,00000011,00000000,000000007_2_6C6B3886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8406F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6C8406F1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000957D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_000957D0
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C83F6ED mov eax, dword ptr fs:[00000030h]7_2_6C83F6ED
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C84A2A5 mov eax, dword ptr fs:[00000030h]7_2_6C84A2A5
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C84A2D6 mov eax, dword ptr fs:[00000030h]7_2_6C84A2D6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C8406F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6C8406F1
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C83922D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_6C83922D

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.13.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmpCode function: 7_2_6C907700 cpuid 7_2_6C907700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0001AB2A GetSystemTimeAsFileTime,11_2_0001AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000B0090 GetVersion,11_2_000B0090

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory42
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager231
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580397 Sample: #U5b89#U88c5#U52a9#U624b2.0.6.exe Startdate: 24/12/2024 Architecture: WINDOWS Score: 88 90 Multi AV Scanner detection for dropped file 2->90 92 Found driver which could be used to inject code into processes 2->92 94 PE file contains section with special chars 2->94 96 2 other signatures 2->96 10 #U5b89#U88c5#U52a9#U624b2.0.6.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 30 other processes 2->17 process3 file4 86 C:\...\#U5b89#U88c5#U52a9#U624b2.0.6.tmp, PE32 10->86 dropped 19 #U5b89#U88c5#U52a9#U624b2.0.6.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 26 other processes 17->33 process5 file6 72 C:\Users\user\AppData\Local\...\update.vac, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->74 dropped 98 Adds a directory exclusion to Windows Defender 19->98 35 #U5b89#U88c5#U52a9#U624b2.0.6.exe 2 19->35         started        38 powershell.exe 21 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 25 other processes 33->53 signatures7 process8 file9 76 C:\...\#U5b89#U88c5#U52a9#U624b2.0.6.tmp, PE32 35->76 dropped 55 #U5b89#U88c5#U52a9#U624b2.0.6.tmp 4 16 35->55         started        100 Loading BitLocker PowerShell Module 38->100 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\update.vac, PE32 55->78 dropped 80 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 55->80 dropped 82 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->82 dropped 84 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 55->84 dropped 102 Query firmware table information (likely to detect VMs) 55->102 104 Protects its processes via BreakOnTermination flag 55->104 106 Hides threads from debuggers 55->106 108 Contains functionality to hide a thread from the debugger 55->108 63 7zr.exe 2 55->63         started        66 7zr.exe 7 55->66         started        signatures13 process14 file15 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process16

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b2.0.6.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc24%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-56EON.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-56EON.tmp\update.vac24%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-7G70G.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-7G70G.tmp\update.vac24%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b2.0.6.exefalse
    		high
    https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b2.0.6.exe, 00000000.00000003.1301363462.0000000003350000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.exe, 00000000.00000003.1301864148.000000007F12B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000000.1303835283.0000000000781000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000000.1394369692.0000000000D4D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp.0.dr, #U5b89#U88c5#U52a9#U624b2.0.6.tmp.6.drfalse
      		high
      https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b2.0.6.exe, 00000000.00000003.1301363462.0000000003350000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.exe, 00000000.00000003.1301864148.000000007F12B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000000.1303835283.0000000000781000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000007.00000000.1394369692.0000000000D4D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp.0.dr, #U5b89#U88c5#U52a9#U624b2.0.6.tmp.6.drfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580397
        Start date and time:2024-12-24 13:13:13 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 10m 45s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Run name:Run with higher sleep bypass
        Number of analysed new started processes analysed:108
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:#U5b89#U88c5#U52a9#U624b2.0.6.exe
        renamed because original name is a hash value
        Original Sample Name:2.0.6.exe
        Detection:MAL
        Classification:mal88.evad.winEXE@142/33@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 77%
        • Number of executed functions: 28
        • Number of non-executed functions: 87
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
        • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

        Warnings

        • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe
        • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • VT rate limit hit for: #U5b89#U88c5#U52a9#U624b2.0.6.exe

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b2.0.4.exeGet hashmaliciousUnknownBrowse
          #U5b89#U88c5#U52a9#U624b2.0.2.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U52a9#U624b2.0.3.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U52a9#U624b2.0.1.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U52a9#U624b2.0.7.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U52a9#U624b2.0.4.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U52a9#U624b2.0.5.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b2.0.2.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b2.0.3.exeGet hashmaliciousUnknownBrowse

                          Created / dropped Files

                          C:\Program Files (x86)\Windows NT\7zr.exe

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):831200
                          Entropy (8bit):6.671005303304742
                          Encrypted:false
                          SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                          MD5:84DC4B92D860E8AEA55D12B1E87EA108
                          SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                          SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                          SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Joe Sandbox View:
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.4.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.2.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.3.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.1.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.7.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.4.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.5.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.2.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.3.exe, Detection: malicious, Browse
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\file.bin (copy)

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):2410545
                          Entropy (8bit):7.999922598249243
                          Encrypted:true
                          SSDEEP:49152:g6wAukW+yiCbwWUfNV0nkGyIjg1QzigxBeCOg227duaZIN4Zud:g6wlkW+yEWWKkTr7gxAHgtuGyqud
                          MD5:22AB3F365A4BE4A19F0905AB757C3702
                          SHA1:AA1FB50388CD3DBE4495A26601EFA09C7B8229EF
                          SHA-256:709B2D4134B4C54CB331B0C3FA5226CC49C55AD29BC2F5548745FB213F5C0DEB
                          SHA-512:460C32CE230CCA3ED396275725381DB98289B6ACD250CBD7037E2597C849924EA839C5F70B71A8FFF9A5E09C878C52FD6D29F0339F507D3F2C317660F72C5F18
                          Malicious:false
                          Preview:.@S....<.(.,;..............Q9:..9.....&./.}.....|..t%.p.S|O.C0c..i.a6..x.e...I,.r........E`....U...y.<0a.{S.....NL.U".h.gu..J8....@b...vtL.UR.......4...(..W.O.k6..s.2|...uo.&.....,.7.i.6l.b.:..'...%........x..H...zW.\N..)9y....V....-i.....j."v.[....z.oZ.!.......y..7j..'J...U.yI.,....<.9)Q.C.z...l.....CGe:.....?*%i.c$.....:).5.e!z*..qs"..^&,..*g...*.4......".P.r{.P...~...j....y...q..;.o`..[..Ef..E}e.L..1$.^x.j.5...,$v.N.1..o.....4&.bs.C.$.NN.d.+``>.4V....{0..([M....@.$.F..Cd.....C..@P.z.I+.S..-.tA?...od..B:+!.Y..>..H....cM.e/.....+.........C.v.....c....v..u..~...;.z...L..b'...f.1K<.F|.......A,H.z..lf.)0.....l_,...W.....2....b..L.....].c...f#I.F......213....KS.K.......b..DO....Jv|..zHh&!.qo.....[.z.1..z..A.a..=1l..}..o..9....F.2.w:F3.ca.7.d.4X)-.|.wB......"!.3m.rt....fGM...#W...m.".L.m..t.E.....i.X.k8z..4.8..F....-.y...3,k... &..O.....T...7...A..1.b..:g....L..I.`.d.n"...{..g........f....%..r....W]a.Q......K..,..Aa....N.....6vB...9B.

                          C:\Program Files (x86)\Windows NT\hrsw.vbc

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3606016
                          Entropy (8bit):7.0063494494702985
                          Encrypted:false
                          SSDEEP:49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
                          MD5:95ACD5631A9131DB1FD066565AFC9A67
                          SHA1:8E9473BD632FF0F57FC34EECAC17174341D80D94
                          SHA-256:EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
                          SHA-512:70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 24%
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\is-B08G0.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):2410545
                          Entropy (8bit):7.999922598249243
                          Encrypted:true
                          SSDEEP:49152:g6wAukW+yiCbwWUfNV0nkGyIjg1QzigxBeCOg227duaZIN4Zud:g6wlkW+yEWWKkTr7gxAHgtuGyqud
                          MD5:22AB3F365A4BE4A19F0905AB757C3702
                          SHA1:AA1FB50388CD3DBE4495A26601EFA09C7B8229EF
                          SHA-256:709B2D4134B4C54CB331B0C3FA5226CC49C55AD29BC2F5548745FB213F5C0DEB
                          SHA-512:460C32CE230CCA3ED396275725381DB98289B6ACD250CBD7037E2597C849924EA839C5F70B71A8FFF9A5E09C878C52FD6D29F0339F507D3F2C317660F72C5F18
                          Malicious:false
                          Preview:.@S....<.(.,;..............Q9:..9.....&./.}.....|..t%.p.S|O.C0c..i.a6..x.e...I,.r........E`....U...y.<0a.{S.....NL.U".h.gu..J8....@b...vtL.UR.......4...(..W.O.k6..s.2|...uo.&.....,.7.i.6l.b.:..'...%........x..H...zW.\N..)9y....V....-i.....j."v.[....z.oZ.!.......y..7j..'J...U.yI.,....<.9)Q.C.z...l.....CGe:.....?*%i.c$.....:).5.e!z*..qs"..^&,..*g...*.4......".P.r{.P...~...j....y...q..;.o`..[..Ef..E}e.L..1$.^x.j.5...,$v.N.1..o.....4&.bs.C.$.NN.d.+``>.4V....{0..([M....@.$.F..Cd.....C..@P.z.I+.S..-.tA?...od..B:+!.Y..>..H....cM.e/.....+.........C.v.....c....v..u..~...;.z...L..b'...f.1K<.F|.......A,H.z..lf.)0.....l_,...W.....2....b..L.....].c...f#I.F......213....KS.K.......b..DO....Jv|..zHh&!.qo.....[.z.1..z..A.a..=1l..}..o..9....F.2.w:F3.ca.7.d.4X)-.|.wB......"!.3m.rt....fGM...#W...m.".L.m..t.E.....i.X.k8z..4.8..F....-.y...3,k... &..O.....T...7...A..1.b..:g....L..I.`.d.n"...{..g........f....%..r....W]a.Q......K..,..Aa....N.....6vB...9B.

                          C:\Program Files (x86)\Windows NT\is-UAPRN.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):2160403
                          Entropy (8bit):7.999915137888149
                          Encrypted:true
                          SSDEEP:49152:It2n0GjjLAmAsqpaBu1j6HHY98iLNC9s0GSUCrtIQ:fImVwassHHeLmGSPtIQ
                          MD5:0CEBF47D80812A6BAC25DBB7BBD2A4BA
                          SHA1:60C7165E374A09465A6864964E6FCE777A6A397E
                          SHA-256:A3783734750CAE6E97CF1A2FAA2E8716B6C91A9F1D05C23C1370969D01772353
                          SHA-512:D39E65CD10D767937907F1EDD1AA6F1F0D73D83F852635A10C4809C0161D0634C3E8764DD019CB19DEEC7D299D5268D27154997F05675B0E061D0D1C6AC8EB8D
                          Malicious:false
                          Preview:.U_O..h...=...`.f5...........3...._E..M...A.P..)....8.&>..9...Uye..,.X$.^.T...$...\2.uz>H.>E........B#..y..0...k`..C..!.."}.~)..X..gR.P.....E.@l...Tr...._m..m..Pv.....7?A.Z.o#..I>..)S.1.+...........j.L.b....B.2..T. `e_..d:m.~..B..hw..S............YS..:.v`}..%...1.c.H.W.....Y....\..q....$4..+jN.,q...ra.....v*".J$.9.. .}k<..cC...k%7.i+~`.....g.......m.`.3z.......tQxf...vJ:zpV..<..oi)...C....a.G.]...@E]../h..0.e.B..u......@\%.E...T..w....O...3$j.7TTK.?]a..1^/g...05;D. ...Y.&..!......f!.V.......).M..n..].[hu.).....Mc.$l}Db....\..W`...R..0.......)"....n.WR..Y.O...".r.._..>...b.z..d.......w8.,v...9.l.R.U\{..=.}.g.@........Ut.3..Y.....m.....yKz..S?.q..P.qs...il.mN<L..-]m...P..0.z\.`#]....hQL.<...\.Xa.;..V.!.....cJx.\..!t;5< E.&C.~ ;$.u..z..Ay8......#..=.+.....P..B/.'(J..L..hR.h..H.3."..&.!.{.q.*....(.06...............6...........G.Oe......e=.2:AK."o#}>||...!.C....n....M...7....u..=..!..~.. ......N..[Me;OFj.....^V..X5.9}#..Y&.*..".[.`...

                          C:\Program Files (x86)\Windows NT\locale.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):56530
                          Entropy (8bit):7.996728823788979
                          Encrypted:true
                          SSDEEP:1536:VrioFfO629rsDfMEfSVSK8eBlsiviev1MQdQe:V9FfO6fdmSiB1R
                          MD5:5A288ABE66B6DA4DB8C201C03A9ECC52
                          SHA1:EBBDD65A036F97D6F934243B5987D06CB7B7E367
                          SHA-256:C28544764B28D5ED1495194D2390427883D9A0E939B2B68D79C0FD4C68D78888
                          SHA-512:EC0AE2FC22D214AFE200943AE9849F355BFD35355099A0B02991B87236E9626858ED96E9D05468DA3613DDFC50B04F220CB2D9E59EC04F72938C5052E3E5E82F
                          Malicious:false
                          Preview:.@S....93).| ..............:I@.$c......].....<lxe...=.\Kx...X..c.HP..M.:.N.~..T#....6.#......$...w..p.n.~.8\Q.b.y.C.d..`.[../K...g..O.+..?..Qs.T..Z..E..g.6^|..S..]z.u.......0cb.'...+.I....8.q..[>..i..f.X|4=.Hk.q..H`MW.../..^H..>%...i.qk.i.K.[.9...$n...Q......+E..+.......rV0/E...1M>3[....."2m.g.7.).....L..'......gG..,....d..ujm........4.....GN....&.b.E.iw...`S...<..p.......D.....t..o.n.P...yt%..G..C..R..&.ps...."...~......m.%.\w.|.'4...).9.=rE.=...7.....)..t .S.M.=....m.Q.g.....z3.2.......*;./#..e.VaB...X.*...d..{7g.C8).y.,..c...m....r...-.>.3....0.OX...d..xR.6.h.....qH.y+. ..Bs\C..qJ...3q.~........2R.0._a.}.".....!d.....!.R.Ha...}....e.e.;Ts...F..nx.{..f.....7..v. ..X....T=.o.^].>.FU..O....j..c@Jo4!..]...%...R.`.....4."DY8....?.0!..>!..".3.b...".L.Q."..P.f.....wp.7.... .2..GY.?M....]...C.-.E...k.'f&?`........`Gm...d.[.n...v.....U.F.{(..g...R.].....o=.V...1S.k......W$..(x.'.j^..ju.=eD.N..j.~K..J...(..,....cr...G.Il{;.Yam.../j.d..

                          C:\Program Files (x86)\Windows NT\locale.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):56530
                          Entropy (8bit):7.99672882378898
                          Encrypted:true
                          SSDEEP:1536:LLTAuZTNshF+E4azBIlUpDAWPl3TjoVnVVDbsSpWR2q:Lf/u+Vaz2G5AWVTcVnVVnsSoRr
                          MD5:DA365B62C29AA40AB63B36267E132538
                          SHA1:F98E46F576EF5B2FDA1FBCF0FFB455BB91485F0E
                          SHA-256:2522BA39C177784BFEAD3D02AD9F1F778A3ECD389F1114FF41C0D2008D5A02EC
                          SHA-512:8A8037AB919D4B0FA80B9AE0DD82EA1CB443E134A2893AC380F395F9F9EAB722B92446B8F4EA869A4B2C832B6F987975B593E4B42386D7B3F87251B9B74E3717
                          Malicious:false
                          Preview:7z..'......'........2............%M].r..-.?lS.....C6>.!.....s..^.x..sJ.....+Y....5cBN.'.{+Z;..q..&wo....8.`....Z.4.N.u...j.9..5.j..b.F.T..=...t..A..adB.|3....i..j{....yt.&.C.Rw..o..O....RB:..I.gS..Mc.T..f.......N........8..cv.......@/9.....^.j....(.O.i.F.<.~.....w.Q.^.4JQ+I....|......R...9..|.Q.m...%.Q.....5..3.....A.b.!.d..kV...b...&..-.gI.W m....:..E. .-..=.s%s..<m..b0.Gce.....At...E.........C...rR./.P .j.....1.hn..)|..}3.d6....l..G.s...'>`.P.....f.3,2\..,..L......<...?..f^;@.U.....z.w.....j0<V..X...I..p=.......#.}.X;..5h{....../n...-..s=|...8.....M._...+l....G.....0x.,N...gV........G.H......w...'K^.....8.).XR......-.4.V..H..pX.h'.B.t..i6>.d0`.9.%.i..?.>.i....Q..m.)..k=......E3*..F.Z..1....dn..h.x.^......U..!.`...}....-..=.).......~..AC..4['M...q..E:...v.7.g=..N....Og..o..B.iK.L.H3..b./ N",...O.).n..o8.$...N#.x...|S...Q...x.}..v`w.....Y..q./.....u.;V...-.NjgSD...._'2....#>.^..Y...a.>...s..-...h.f~.#g..<..r...O..IHhS....V.g......\.....0...6.

                          C:\Program Files (x86)\Windows NT\locale2.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996966859255975
                          Encrypted:true
                          SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                          MD5:CEA69F993E1CE0FB945A98BF37A66546
                          SHA1:7114365265F041DA904574D1F5876544506F89BA
                          SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                          SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                          Malicious:false
                          Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                          C:\Program Files (x86)\Windows NT\locale2.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996966859255979
                          Encrypted:true
                          SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                          MD5:4CB8B7E557C80FC7B014133AB834A042
                          SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                          SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                          SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                          Malicious:false
                          Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                          C:\Program Files (x86)\Windows NT\locale3.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):31890
                          Entropy (8bit):7.99402458740637
                          Encrypted:true
                          SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                          MD5:8622FC7228777F64A47BD6C61478ADD9
                          SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                          SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                          SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                          Malicious:false
                          Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                          C:\Program Files (x86)\Windows NT\locale3.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):31890
                          Entropy (8bit):7.99402458740637
                          Encrypted:true
                          SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                          MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                          SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                          SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                          SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                          Malicious:false
                          Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                          C:\Program Files (x86)\Windows NT\locale4.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):74960
                          Entropy (8bit):7.99759370165655
                          Encrypted:true
                          SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                          MD5:950338D50B95A25F494EE74E97B7B7A9
                          SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                          SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                          SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                          Malicious:false
                          Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                          C:\Program Files (x86)\Windows NT\locale4.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):74960
                          Entropy (8bit):7.997593701656546
                          Encrypted:true
                          SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                          MD5:059BA7C31F3E227356CA5F29E4AA2508
                          SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                          SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                          SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                          Malicious:false
                          Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                          C:\Program Files (x86)\Windows NT\locale7.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):29730
                          Entropy (8bit):7.994290657653607
                          Encrypted:true
                          SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                          MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                          SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                          SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                          SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                          Malicious:false
                          Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                          C:\Program Files (x86)\Windows NT\locale7.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):29730
                          Entropy (8bit):7.994290657653608
                          Encrypted:true
                          SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                          MD5:A9C8A3E00692F79E1BA9693003F85D18
                          SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                          SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                          SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                          Malicious:false
                          Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                          C:\Program Files (x86)\Windows NT\res.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):2410545
                          Entropy (8bit):7.999922598249242
                          Encrypted:true
                          SSDEEP:49152:nLUmXREr6h9uO2l7gP53OuCh+FTUwUQ3uUQ/tcLaSD2+S+PJwygoB:phW6h9vs7gPNOB+FTU8/QVbSDtRwyJB
                          MD5:05396EF5B04CF7708E0B2457EEC78612
                          SHA1:8B60DB96BA19ED35FE4815D59812DAF2E0DA42AD
                          SHA-256:600861E4C0354456CC76021E20F16EA49D9BBB6C9E7AFB808AAA4077FE9235DE
                          SHA-512:FB7DF5B5852FB978EAF7904752A530C91F2AB703E0D973A038173FC15DFBD9C140F0D02DA57BA90C7BEEB22AF2335D14011215578E0D200548AD1CDA8B1CB2ED
                          Malicious:false
                          Preview:7z..'....3. ..$.....A..........l...5"]%..J..n.$...x*...........H.=...D.%.OrO....<.M..}..e..t.8[(t...(.u...Oi .......R.t..a...2+L>...A]a...A..}...~....S#p.HO.......#.".k)...3.w...d8.....r.p...[..F.0m....FEi..K.h|...F..}..5..._>..HF..h,!....:.&k......:./F.`..v.zeGD"\f]..U..\........B.w....a......"#..z.6......V Jh.[_....v...GQ5x.....Q....#...,ce...q].!w>....?@Wn*j.m...A....O.4.-.+.k..g.;....$...p.tx.......q..HWy..\....2..(Ew..p...s!.y...........M..........9.0.2...Q.M..U|ck...5A.%...|7]@V...H..W..././d.......,.........C.#.d._4K.Lo.'p.."G..hg.6$o..^.lYg.;..8~...kB..YX.5.+8.]L.o.T.......6..>mb.......WE.S8..;{.o`..r..T$2.S...wk(R... &<.4.......yZ.!z6..|.......iep..$...Ch......,..6...v.1E....]O .....\L.....1..=3..1z.(^....U.c....t.........L...-?......|..w.x.9H...-.5d....n..b..s.S...V):...ci..!=+...2.7.u..E.\1.\n.1C.S........O.W<./G.G..R0..m*.....HN...N@"^.~#(.-...va.{E.Ph...[..W.$....sb..+.nhn}W-...Bu"....tn. .....IRAxuU. ...j...e.C..7*.<....?.k

                          C:\Program Files (x86)\Windows NT\tProtect.dll

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:PE32+ executable (native) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):63640
                          Entropy (8bit):6.482810107683822
                          Encrypted:false
                          SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                          MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                          SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                          SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                          SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 9%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\task.xml

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):4096
                          Entropy (8bit):3.3424857678384283
                          Encrypted:false
                          SSDEEP:48:dXKLzDlnRL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDln4whldOVQOj6dKbKsz7
                          MD5:D763202FE9C52C0C828BBF4C80F03B5F
                          SHA1:64EADDFAF17BFB730AD49846C0720A72592475F1
                          SHA-256:10A3AB55BA79335C2092E87CA04DCA141D3F2133F056375672512EBE4A3F70BF
                          SHA-512:A16C7DDDF5ABB296E29EB23EF065B0F65D96A107494E71DFC4CC580967E620D80DD51BC0D0DCCE9030C1084EB8D54F2AC641A78C989C7F21CDD2D6AF5C89ADDF
                          Malicious:false
                          Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvaila

                          C:\Program Files (x86)\Windows NT\trash

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):2160403
                          Entropy (8bit):7.999915137888149
                          Encrypted:true
                          SSDEEP:49152:It2n0GjjLAmAsqpaBu1j6HHY98iLNC9s0GSUCrtIQ:fImVwassHHeLmGSPtIQ
                          MD5:0CEBF47D80812A6BAC25DBB7BBD2A4BA
                          SHA1:60C7165E374A09465A6864964E6FCE777A6A397E
                          SHA-256:A3783734750CAE6E97CF1A2FAA2E8716B6C91A9F1D05C23C1370969D01772353
                          SHA-512:D39E65CD10D767937907F1EDD1AA6F1F0D73D83F852635A10C4809C0161D0634C3E8764DD019CB19DEEC7D299D5268D27154997F05675B0E061D0D1C6AC8EB8D
                          Malicious:false
                          Preview:.U_O..h...=...`.f5...........3...._E..M...A.P..)....8.&>..9...Uye..,.X$.^.T...$...\2.uz>H.>E........B#..y..0...k`..C..!.."}.~)..X..gR.P.....E.@l...Tr...._m..m..Pv.....7?A.Z.o#..I>..)S.1.+...........j.L.b....B.2..T. `e_..d:m.~..B..hw..S............YS..:.v`}..%...1.c.H.W.....Y....\..q....$4..+jN.,q...ra.....v*".J$.9.. .}k<..cC...k%7.i+~`.....g.......m.`.3z.......tQxf...vJ:zpV..<..oi)...C....a.G.]...@E]../h..0.e.B..u......@\%.E...T..w....O...3$j.7TTK.?]a..1^/g...05;D. ...Y.&..!......f!.V.......).M..n..].[hu.).....Mc.$l}Db....\..W`...R..0.......)"....n.WR..Y.O...".r.._..>...b.z..d.......w8.,v...9.l.R.U\{..=.}.g.@........Ut.3..Y.....m.....yKz..S?.q..P.qs...il.mN<L..-]m...P..0.z\.`#]....hQL.<...\.Xa.;..V.!.....cJx.\..!t;5< E.&C.~ ;$.u..z..Ay8......#..=.+.....P..B/.'(J..L..hR.h..H.3."..&.!.{.q.*....(.06...............6...........G.Oe......e=.2:AK."o#}>||...!.C....n....M...7....u..=..!..~.. ......N..[Me;OFj.....^V..X5.9}#..Y&.*..".[.`...

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):64
                          Entropy (8bit):1.1628158735648508
                          Encrypted:false
                          SSDEEP:3:Nlllul5mxllp:NllU4x/
                          MD5:3A925CB766CE4286E251C26E90B55CE8
                          SHA1:3FA8EE6E901101A4661723B94D6C9309E281BD28
                          SHA-256:4E844662CDFFAAD50BA6320DC598EBE0A31619439D0F6AB379DF978FE81C7BF8
                          SHA-512:F348B4AFD42C262BBED07D6BDEA6EE4B7F5CFA2E18BFA725225584E93251188D9787506C2AFEAC482B606B1EA0341419F229A69FF1E9100B01DE42025F915788
                          Malicious:false
                          Preview:@...e................................................@..........

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ip5ygfah.q4p.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qcdhfzs3.cfl.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qwqysbhk.qyh.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_soolys02.dym.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\is-56EON.tmp\_isetup\_setup64.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
                          File Type:PE32+ executable (console) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):6144
                          Entropy (8bit):4.720366600008286
                          Encrypted:false
                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-56EON.tmp\update.vac

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3606016
                          Entropy (8bit):7.0063494494702985
                          Encrypted:false
                          SSDEEP:49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
                          MD5:95ACD5631A9131DB1FD066565AFC9A67
                          SHA1:8E9473BD632FF0F57FC34EECAC17174341D80D94
                          SHA-256:EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
                          SHA-512:70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 24%
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-7G70G.tmp\_isetup\_setup64.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
                          File Type:PE32+ executable (console) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):6144
                          Entropy (8bit):4.720366600008286
                          Encrypted:false
                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-7G70G.tmp\update.vac

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3606016
                          Entropy (8bit):7.0063494494702985
                          Encrypted:false
                          SSDEEP:49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
                          MD5:95ACD5631A9131DB1FD066565AFC9A67
                          SHA1:8E9473BD632FF0F57FC34EECAC17174341D80D94
                          SHA-256:EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
                          SHA-512:70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 24%
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp

                          Download File
                          Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3366912
                          Entropy (8bit):6.5305633078734635
                          Encrypted:false
                          SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                          MD5:65559DDD30465F50270FB7E9EE6E6C7C
                          SHA1:0645894756C448F9DE22FAE9E65EF1DA36FE63CE
                          SHA-256:EABC186313A00D4795DA37132F1549C754E093E9B1B6D706AAD01528AE5D986F
                          SHA-512:B858B63FD23F75D114DA89B79B94272679110F5D149890783CB28960A23299F22CE723918CAFCD4FAC3198C59A2AE32787E6C08A1CBF1AC69C789361662CF43D
                          Malicious:true
                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                          C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp

                          Download File
                          Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3366912
                          Entropy (8bit):6.5305633078734635
                          Encrypted:false
                          SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                          MD5:65559DDD30465F50270FB7E9EE6E6C7C
                          SHA1:0645894756C448F9DE22FAE9E65EF1DA36FE63CE
                          SHA-256:EABC186313A00D4795DA37132F1549C754E093E9B1B6D706AAD01528AE5D986F
                          SHA-512:B858B63FD23F75D114DA89B79B94272679110F5D149890783CB28960A23299F22CE723918CAFCD4FAC3198C59A2AE32787E6C08A1CBF1AC69C789361662CF43D
                          Malicious:true
                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                          \Device\ConDrv

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:ASCII text, with CRLF, CR line terminators
                          Category:dropped
                          Size (bytes):406
                          Entropy (8bit):5.117520345541057
                          Encrypted:false
                          SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                          MD5:9200058492BCA8F9D88B4877F842C148
                          SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                          SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                          SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                          Malicious:false
                          Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.956049914920317
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 98.04%
                          • Inno Setup installer (109748/4) 1.08%
                          • InstallShield setup (43055/19) 0.42%
                          • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                          File name:#U5b89#U88c5#U52a9#U624b2.0.6.exe
                          File size:8'206'704 bytes
                          MD5:c5c5262b26879c84d470ef4a5b73663d
                          SHA1:c907618ac1db8f8186469e0bcfff2debc0b49fdd
                          SHA256:b53886e5499226b7565d65fd25ecd448f82434cac355d799ea2e39e0d822b234
                          SHA512:5a859f9164d18ba5cf9dfc109e7c0b024cc30d18ab03d109ec950529c7b3a7a782db19159c6d353567c4d12cf2a83d894af251848bdc20b04a36129a25b397df
                          SSDEEP:98304:XwRE36w8t6MocqxphH99gaAEglulhqv8om22U2t9+/LQdHMeiTNmJaSj5wylhNbv:lGt8jxP99PF6vXG01TUASjbLjn
                          TLSH:2C862223F2CBE13DE45A0B3B05B2A55894FB6A216823AD5396ECB4ECCF351501D3E647
                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                          File Icon

                          Icon Hash:0c0c2d33ceec80aa

                          Static PE Info

                          General

                          Entrypoint:0x4a83bc
                          Entrypoint Section:.itext
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:6
                          OS Version Minor:1
                          File Version Major:6
                          File Version Minor:1
                          Subsystem Version Major:6
                          Subsystem Version Minor:1
                          Import Hash:40ab50289f7ef5fae60801f88d4541fc

                          Entrypoint Preview

                          Instruction
                          push ebp
                          mov ebp, esp
                          add esp, FFFFFFA4h
                          push ebx
                          push esi
                          push edi
                          xor eax, eax
                          mov dword ptr [ebp-3Ch], eax
                          mov dword ptr [ebp-40h], eax
                          mov dword ptr [ebp-5Ch], eax
                          mov dword ptr [ebp-30h], eax
                          mov dword ptr [ebp-38h], eax
                          mov dword ptr [ebp-34h], eax
                          mov dword ptr [ebp-2Ch], eax
                          mov dword ptr [ebp-28h], eax
                          mov dword ptr [ebp-14h], eax
                          mov eax, 004A2EBCh
                          call 00007F7D1CD6E735h
                          xor eax, eax
                          push ebp
                          push 004A8AC1h
                          push dword ptr fs:[eax]
                          mov dword ptr fs:[eax], esp
                          xor edx, edx
                          push ebp
                          push 004A8A7Bh
                          push dword ptr fs:[edx]
                          mov dword ptr fs:[edx], esp
                          mov eax, dword ptr [004B0634h]
                          call 00007F7D1CE000BBh
                          call 00007F7D1CDFFC0Eh
                          lea edx, dword ptr [ebp-14h]
                          xor eax, eax
                          call 00007F7D1CDFA8E8h
                          mov edx, dword ptr [ebp-14h]
                          mov eax, 004B41F4h
                          call 00007F7D1CD687E3h
                          push 00000002h
                          push 00000000h
                          push 00000001h
                          mov ecx, dword ptr [004B41F4h]
                          mov dl, 01h
                          mov eax, dword ptr [0049CD14h]
                          call 00007F7D1CDFBC13h
                          mov dword ptr [004B41F8h], eax
                          xor edx, edx
                          push ebp
                          push 004A8A27h
                          push dword ptr fs:[edx]
                          mov dword ptr fs:[edx], esp
                          call 00007F7D1CE00143h
                          mov dword ptr [004B4200h], eax
                          mov eax, dword ptr [004B4200h]
                          cmp dword ptr [eax+0Ch], 01h
                          jne 00007F7D1CE06E2Ah
                          mov eax, dword ptr [004B4200h]
                          mov edx, 00000028h
                          call 00007F7D1CDFC508h
                          mov edx, dword ptr [004B4200h]

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          .rsrc0xcb0000x110000x1100085eb1c4931e9d0b4430fde2d42f1c51bFalse0.187744140625data3.723418370548741IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                          RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                          RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                          RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                          RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                          RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                          RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                          RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                          RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                          RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                          RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                          RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                          RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                          RT_STRING0xd8e000x3f8data0.3198818897637795
                          RT_STRING0xd91f80x2dcdata0.36475409836065575
                          RT_STRING0xd94d40x430data0.40578358208955223
                          RT_STRING0xd99040x44cdata0.38636363636363635
                          RT_STRING0xd9d500x2d4data0.39226519337016574
                          RT_STRING0xda0240xb8data0.6467391304347826
                          RT_STRING0xda0dc0x9cdata0.6410256410256411
                          RT_STRING0xda1780x374data0.4230769230769231
                          RT_STRING0xda4ec0x398data0.3358695652173913
                          RT_STRING0xda8840x368data0.3795871559633027
                          RT_STRING0xdabec0x2a4data0.4275147928994083
                          RT_RCDATA0xdae900x10data1.5
                          RT_RCDATA0xdaea00x310data0.6173469387755102
                          RT_RCDATA0xdb1b00x2cdata1.2045454545454546
                          RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                          RT_VERSION0xdb2980x584dataEnglishUnited States0.2797450424929179
                          RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                          Imports

                          DLLImport
                          kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                          comctl32.dllInitCommonControls
                          user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                          oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                          advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                          Exports

                          NameOrdinalAddress
                          __dbk_fcall_wrapper20x40fc10
                          dbkFCallWrapperAddr10x4b063c

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States

                          Network Behavior

                          No network behavior found

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:07:14:06
                          Start date:24/12/2024
                          Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe"
                          Imagebase:0xf00000
                          File size:8'206'704 bytes
                          MD5 hash:C5C5262B26879C84D470EF4A5B73663D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:2
                          Start time:07:14:07
                          Start date:24/12/2024
                          Path:C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\Temp\is-O5N2C.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp" /SL5="$2046E,7252309,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe"
                          Imagebase:0x780000
                          File size:3'366'912 bytes
                          MD5 hash:65559DDD30465F50270FB7E9EE6E6C7C
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:3
                          Start time:07:14:07
                          Start date:24/12/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                          Imagebase:0x7ff7b2bb0000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:07:14:07
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:07:14:11
                          Start date:24/12/2024
                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                          Imagebase:0x7ff6616b0000
                          File size:496'640 bytes
                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                          Has elevated privileges:true
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:6
                          Start time:07:14:16
                          Start date:24/12/2024
                          Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" /VERYSILENT
                          Imagebase:0xf00000
                          File size:8'206'704 bytes
                          MD5 hash:C5C5262B26879C84D470EF4A5B73663D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:7
                          Start time:07:14:16
                          Start date:24/12/2024
                          Path:C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\Temp\is-TUM9M.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp" /SL5="$401F4,7252309,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" /VERYSILENT
                          Imagebase:0xad0000
                          File size:3'366'912 bytes
                          MD5 hash:65559DDD30465F50270FB7E9EE6E6C7C
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:8
                          Start time:07:14:19
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:9
                          Start time:07:14:19
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:10
                          Start time:07:14:19
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:11
                          Start time:07:14:19
                          Start date:24/12/2024
                          Path:C:\Program Files (x86)\Windows NT\7zr.exe
                          Wow64 process (32bit):true
                          Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                          Imagebase:0x10000
                          File size:831'200 bytes
                          MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Antivirus matches:
                          • Detection: 0%, ReversingLabs
                          Has exited:true

                          General

                          Target ID:12
                          Start time:07:14:19
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:13
                          Start time:07:14:20
                          Start date:24/12/2024
                          Path:C:\Program Files (x86)\Windows NT\7zr.exe
                          Wow64 process (32bit):true
                          Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                          Imagebase:0x10000
                          File size:831'200 bytes
                          MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:14
                          Start time:07:14:20
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:15
                          Start time:07:14:20
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:16
                          Start time:07:14:20
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:17
                          Start time:07:14:20
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:18
                          Start time:07:14:20
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:19
                          Start time:07:14:20
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:20
                          Start time:07:14:20
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:21
                          Start time:07:14:20
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:22
                          Start time:07:14:20
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:23
                          Start time:07:14:20
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:24
                          Start time:07:14:21
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:26
                          Start time:07:14:21
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:27
                          Start time:07:14:21
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:28
                          Start time:07:14:21
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:29
                          Start time:07:14:21
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:30
                          Start time:07:14:21
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:31
                          Start time:07:14:21
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:32
                          Start time:07:14:21
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:33
                          Start time:07:14:21
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:34
                          Start time:07:14:21
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:35
                          Start time:07:14:21
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:36
                          Start time:07:14:21
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:37
                          Start time:07:14:21
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:38
                          Start time:07:14:21
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:39
                          Start time:07:14:21
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:40
                          Start time:07:14:22
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:41
                          Start time:07:14:22
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:42
                          Start time:07:14:22
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:43
                          Start time:07:14:22
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:44
                          Start time:07:14:22
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:45
                          Start time:07:14:22
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:46
                          Start time:07:14:22
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:47
                          Start time:07:14:22
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:48
                          Start time:07:14:22
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:49
                          Start time:07:14:22
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:50
                          Start time:07:14:22
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:51
                          Start time:07:14:22
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:52
                          Start time:07:14:22
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:53
                          Start time:07:14:22
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:54
                          Start time:07:14:22
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:55
                          Start time:07:14:22
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:56
                          Start time:07:14:22
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:57
                          Start time:07:14:22
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:58
                          Start time:07:14:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:59
                          Start time:07:14:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:60
                          Start time:07:14:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:61
                          Start time:07:14:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:62
                          Start time:07:14:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:63
                          Start time:07:14:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:64
                          Start time:07:14:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:65
                          Start time:07:14:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:66
                          Start time:07:14:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:67
                          Start time:07:14:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:68
                          Start time:07:14:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:69
                          Start time:07:14:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:70
                          Start time:07:14:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:71
                          Start time:07:14:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:72
                          Start time:07:14:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:73
                          Start time:07:14:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:74
                          Start time:07:14:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:75
                          Start time:07:14:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:76
                          Start time:07:14:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:77
                          Start time:07:14:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:78
                          Start time:07:14:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:79
                          Start time:07:14:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:80
                          Start time:07:14:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:81
                          Start time:07:14:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:82
                          Start time:07:14:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:83
                          Start time:07:14:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:84
                          Start time:07:14:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:85
                          Start time:07:14:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:86
                          Start time:07:14:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:87
                          Start time:07:14:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:88
                          Start time:07:14:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:89
                          Start time:07:14:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:90
                          Start time:07:14:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:91
                          Start time:07:14:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:92
                          Start time:07:14:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:93
                          Start time:07:14:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:94
                          Start time:07:14:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:95
                          Start time:07:14:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:96
                          Start time:07:14:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:97
                          Start time:07:14:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:98
                          Start time:07:14:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:99
                          Start time:07:14:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:100
                          Start time:07:14:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:101
                          Start time:07:14:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:102
                          Start time:07:14:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:103
                          Start time:07:14:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:104
                          Start time:07:14:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff75b0e0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:105
                          Start time:07:14:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff620390000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:106
                          Start time:07:14:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6c5490000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:2%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:15.2%
                            Total number of Nodes:834
                            Total number of Limit Nodes:10
                            execution_graph 83268 6c84d043 83269 6c84d055 __dosmaperr 83268->83269 83270 6c84d06d 83268->83270 83270->83269 83271 6c84d0b8 __dosmaperr 83270->83271 83274 6c84d0e7 83270->83274 83315 6c840690 18 API calls __Getctype 83271->83315 83273 6c84d100 83276 6c84d105 83273->83276 83277 6c84d11b __dosmaperr 83273->83277 83274->83273 83275 6c84d157 __wsopen_s 83274->83275 83274->83277 83309 6c844d2b HeapFree GetLastError __dosmaperr 83275->83309 83303 6c851f55 83276->83303 83308 6c840690 18 API calls __Getctype 83277->83308 83280 6c84d2ae 83283 6c84d324 83280->83283 83286 6c84d2c7 GetConsoleMode 83280->83286 83281 6c84d177 83310 6c844d2b HeapFree GetLastError __dosmaperr 83281->83310 83285 6c84d328 ReadFile 83283->83285 83288 6c84d342 83285->83288 83289 6c84d39c GetLastError 83285->83289 83286->83283 83290 6c84d2d8 83286->83290 83287 6c84d17e 83300 6c84d132 __dosmaperr __wsopen_s 83287->83300 83311 6c84b1d9 20 API calls __wsopen_s 83287->83311 83288->83289 83291 6c84d319 83288->83291 83289->83300 83290->83285 83292 6c84d2de ReadConsoleW 83290->83292 83296 6c84d367 83291->83296 83297 6c84d37e 83291->83297 83291->83300 83292->83291 83295 6c84d2fa GetLastError 83292->83295 83295->83300 83313 6c84d46e 23 API calls 3 library calls 83296->83313 83298 6c84d395 83297->83298 83297->83300 83314 6c84d726 21 API calls __wsopen_s 83298->83314 83312 6c844d2b HeapFree GetLastError __dosmaperr 83300->83312 83302 6c84d39a 83302->83300 83304 6c851f62 83303->83304 83306 6c851f6f 83303->83306 83304->83280 83305 6c851f7b 83305->83280 83306->83305 83316 6c840690 18 API calls __Getctype 83306->83316 83308->83300 83309->83281 83310->83287 83311->83276 83312->83269 83313->83300 83314->83302 83315->83269 83316->83304 83317 6c6b4b53 83475 6c836fb3 83317->83475 83319 6c6b4b5c _Yarn 83489 6c82b430 83319->83489 83321 6c6d639e 83587 6c8406a0 18 API calls __Getctype 83321->83587 83323 6c6b5164 CreateFileA CloseHandle 83329 6c6b51ec 83323->83329 83324 6c6b4cff 83325 6c6b4bae std::ios_base::_Ios_base_dtor 83325->83321 83325->83323 83325->83324 83326 6c6c245a _Yarn _strlen 83325->83326 83326->83321 83327 6c82b430 2 API calls 83326->83327 83342 6c6c2a83 std::ios_base::_Ios_base_dtor 83327->83342 83495 6c835690 OpenSCManagerA 83329->83495 83331 6c6bfc00 83580 6c8357b0 CreateToolhelp32Snapshot 83331->83580 83334 6c836fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 83369 6c6b5478 std::ios_base::_Ios_base_dtor _Yarn _strlen 83334->83369 83336 6c6c37d0 Sleep 83381 6c6c37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 83336->83381 83337 6c82b430 2 API calls 83337->83369 83338 6c6d63b2 83588 6c6b15e0 18 API calls std::ios_base::_Ios_base_dtor 83338->83588 83339 6c8357b0 4 API calls 83357 6c6c053a 83339->83357 83341 6c8357b0 4 API calls 83363 6c6c12e2 83341->83363 83342->83321 83499 6c820900 83342->83499 83343 6c6d64f8 83344 6c6bffe3 83344->83339 83348 6c6c0abc 83344->83348 83345 6c6d6ba0 104 API calls 83345->83369 83346 6c6d6e60 32 API calls 83346->83369 83348->83326 83348->83341 83350 6c8357b0 4 API calls 83350->83348 83351 6c6b6722 83556 6c831df0 25 API calls 4 library calls 83351->83556 83352 6c8357b0 4 API calls 83371 6c6c1dd9 83352->83371 83353 6c6c211c 83353->83326 83356 6c6c241a 83353->83356 83354 6c82b430 2 API calls 83354->83381 83358 6c820900 11 API calls 83356->83358 83357->83348 83357->83350 83359 6c6c244d 83358->83359 83586 6c8362d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 83359->83586 83361 6c6c2452 Sleep 83361->83326 83362 6c6b6162 83363->83352 83363->83353 83374 6c6c16ac 83363->83374 83364 6c6b740b 83557 6c835560 CreateProcessA 83364->83557 83366 6c8357b0 4 API calls 83366->83353 83369->83321 83369->83331 83369->83334 83369->83337 83369->83345 83369->83346 83369->83351 83369->83362 83537 6c6d7090 83369->83537 83550 6c6fe010 83369->83550 83370 6c6d7090 77 API calls 83370->83381 83371->83353 83371->83366 83372 6c6fe010 67 API calls 83372->83381 83373 6c6b775a _strlen 83373->83321 83375 6c6b7ba9 83373->83375 83376 6c6b7b92 83373->83376 83379 6c6b7b43 _Yarn 83373->83379 83378 6c836fb3 std::_Facet_Register 4 API calls 83375->83378 83377 6c836fb3 std::_Facet_Register 4 API calls 83376->83377 83377->83379 83378->83379 83380 6c82b430 2 API calls 83379->83380 83390 6c6b7be7 std::ios_base::_Ios_base_dtor 83380->83390 83381->83321 83381->83354 83381->83370 83381->83372 83508 6c6d6ba0 83381->83508 83527 6c6d6e60 83381->83527 83382 6c835560 4 API calls 83393 6c6b8a07 83382->83393 83383 6c6b9d68 83385 6c836fb3 std::_Facet_Register 4 API calls 83383->83385 83384 6c6b9d7f 83386 6c836fb3 std::_Facet_Register 4 API calls 83384->83386 83388 6c6b9d18 _Yarn 83385->83388 83386->83388 83387 6c6b962c _strlen 83387->83321 83387->83383 83387->83384 83387->83388 83389 6c82b430 2 API calls 83388->83389 83398 6c6b9dbd std::ios_base::_Ios_base_dtor 83389->83398 83390->83321 83390->83382 83390->83387 83391 6c6b8387 83390->83391 83392 6c835560 4 API calls 83401 6c6b9120 83392->83401 83393->83392 83394 6c835560 4 API calls 83411 6c6ba215 _strlen 83394->83411 83395 6c835560 4 API calls 83397 6c6b9624 83395->83397 83396 6c836fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 83404 6c6be8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 83396->83404 83561 6c8362d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 83397->83561 83398->83321 83398->83394 83398->83404 83400 6c82b430 2 API calls 83400->83404 83401->83395 83402 6c6bed02 Sleep 83423 6c6be8c1 83402->83423 83403 6c6bf7b1 83579 6c8362d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 83403->83579 83404->83321 83404->83396 83404->83400 83404->83402 83404->83403 83406 6c6be8dd GetCurrentProcess TerminateProcess 83406->83404 83407 6c6ba9bb 83410 6c836fb3 std::_Facet_Register 4 API calls 83407->83410 83408 6c6ba9a4 83409 6c836fb3 std::_Facet_Register 4 API calls 83408->83409 83418 6c6ba953 _Yarn _strlen 83409->83418 83410->83418 83411->83321 83411->83407 83411->83408 83411->83418 83412 6c835560 4 API calls 83412->83423 83413 6c6bfbb8 83414 6c6bfbe8 ExitWindowsEx Sleep 83413->83414 83414->83331 83415 6c6bf7c0 83415->83413 83416 6c6bb009 83420 6c836fb3 std::_Facet_Register 4 API calls 83416->83420 83417 6c6baff0 83419 6c836fb3 std::_Facet_Register 4 API calls 83417->83419 83418->83338 83418->83416 83418->83417 83421 6c6bafa0 _Yarn 83418->83421 83419->83421 83420->83421 83562 6c835ed0 83421->83562 83423->83404 83423->83406 83423->83412 83424 6c6bb059 std::ios_base::_Ios_base_dtor _strlen 83424->83321 83425 6c6bb42c 83424->83425 83426 6c6bb443 83424->83426 83429 6c6bb3da _Yarn _strlen 83424->83429 83427 6c836fb3 std::_Facet_Register 4 API calls 83425->83427 83428 6c836fb3 std::_Facet_Register 4 API calls 83426->83428 83427->83429 83428->83429 83429->83338 83430 6c6bb79e 83429->83430 83431 6c6bb7b7 83429->83431 83434 6c6bb751 _Yarn 83429->83434 83432 6c836fb3 std::_Facet_Register 4 API calls 83430->83432 83433 6c836fb3 std::_Facet_Register 4 API calls 83431->83433 83432->83434 83433->83434 83435 6c835ed0 104 API calls 83434->83435 83436 6c6bb804 std::ios_base::_Ios_base_dtor _strlen 83435->83436 83436->83321 83437 6c6bbc0f 83436->83437 83438 6c6bbc26 83436->83438 83441 6c6bbbbd _Yarn _strlen 83436->83441 83439 6c836fb3 std::_Facet_Register 4 API calls 83437->83439 83440 6c836fb3 std::_Facet_Register 4 API calls 83438->83440 83439->83441 83440->83441 83441->83338 83442 6c6bc08e 83441->83442 83443 6c6bc075 83441->83443 83446 6c6bc028 _Yarn 83441->83446 83445 6c836fb3 std::_Facet_Register 4 API calls 83442->83445 83444 6c836fb3 std::_Facet_Register 4 API calls 83443->83444 83444->83446 83445->83446 83447 6c835ed0 104 API calls 83446->83447 83452 6c6bc0db std::ios_base::_Ios_base_dtor _strlen 83447->83452 83448 6c6bc7bc 83451 6c836fb3 std::_Facet_Register 4 API calls 83448->83451 83449 6c6bc7a5 83450 6c836fb3 std::_Facet_Register 4 API calls 83449->83450 83459 6c6bc753 _Yarn _strlen 83450->83459 83451->83459 83452->83321 83452->83448 83452->83449 83452->83459 83453 6c6bd3ed 83455 6c836fb3 std::_Facet_Register 4 API calls 83453->83455 83454 6c6bd406 83456 6c836fb3 std::_Facet_Register 4 API calls 83454->83456 83457 6c6bd39a _Yarn 83455->83457 83456->83457 83458 6c835ed0 104 API calls 83457->83458 83460 6c6bd458 std::ios_base::_Ios_base_dtor _strlen 83458->83460 83459->83338 83459->83453 83459->83454 83459->83457 83465 6c6bcb2f 83459->83465 83460->83321 83461 6c6bd8bb 83460->83461 83462 6c6bd8a4 83460->83462 83466 6c6bd852 _Yarn _strlen 83460->83466 83464 6c836fb3 std::_Facet_Register 4 API calls 83461->83464 83463 6c836fb3 std::_Facet_Register 4 API calls 83462->83463 83463->83466 83464->83466 83466->83338 83467 6c6bdccf 83466->83467 83468 6c6bdcb6 83466->83468 83471 6c6bdc69 _Yarn 83466->83471 83470 6c836fb3 std::_Facet_Register 4 API calls 83467->83470 83469 6c836fb3 std::_Facet_Register 4 API calls 83468->83469 83469->83471 83470->83471 83472 6c835ed0 104 API calls 83471->83472 83474 6c6bdd1c std::ios_base::_Ios_base_dtor 83472->83474 83473 6c835560 4 API calls 83473->83404 83474->83321 83474->83473 83477 6c836fb8 83475->83477 83476 6c836fd2 83476->83319 83477->83476 83480 6c836fd4 std::_Facet_Register 83477->83480 83589 6c83f584 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 83477->83589 83479 6c837e33 std::_Facet_Register 83593 6c8398e9 RaiseException 83479->83593 83480->83479 83590 6c8398e9 RaiseException 83480->83590 83482 6c83862c IsProcessorFeaturePresent 83488 6c838651 83482->83488 83484 6c837df3 83591 6c8398e9 RaiseException 83484->83591 83486 6c837e13 std::invalid_argument::invalid_argument 83592 6c8398e9 RaiseException 83486->83592 83488->83319 83490 6c82b446 FindFirstFileA 83489->83490 83491 6c82b444 83489->83491 83492 6c82b480 83490->83492 83491->83490 83493 6c82b484 FindClose 83492->83493 83494 6c82b4e2 83492->83494 83493->83492 83494->83325 83497 6c8356c6 83495->83497 83496 6c835758 OpenServiceA 83496->83497 83497->83496 83498 6c83579f 83497->83498 83498->83369 83504 6c820913 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 83499->83504 83500 6c8244cf CloseHandle 83500->83504 83501 6c82367e CloseHandle 83501->83504 83502 6c822a8b CloseHandle 83502->83504 83503 6c6c37cb 83507 6c8362d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 83503->83507 83504->83500 83504->83501 83504->83502 83504->83503 83505 6c80c750 WriteFile WriteFile WriteFile ReadFile 83504->83505 83594 6c80bca0 83504->83594 83505->83504 83507->83336 83509 6c6d6bd5 83508->83509 83605 6c702020 83509->83605 83511 6c6d6c68 83512 6c836fb3 std::_Facet_Register 4 API calls 83511->83512 83513 6c6d6ca0 83512->83513 83622 6c837897 83513->83622 83515 6c6d6cb4 83634 6c701d90 83515->83634 83518 6c6d6d8e 83518->83381 83520 6c6d6dc8 83642 6c7026e0 24 API calls 4 library calls 83520->83642 83522 6c6d6dda 83643 6c8398e9 RaiseException 83522->83643 83524 6c6d6def 83525 6c6fe010 67 API calls 83524->83525 83526 6c6d6e0f 83525->83526 83526->83381 83528 6c6d6e9f 83527->83528 83531 6c6d6eb3 83528->83531 84033 6c703560 32 API calls std::_Xinvalid_argument 83528->84033 83534 6c6d6f5b 83531->83534 84035 6c702250 30 API calls 83531->84035 84036 6c7026e0 24 API calls 4 library calls 83531->84036 84037 6c8398e9 RaiseException 83531->84037 83533 6c6d6f6e 83533->83381 83534->83533 84034 6c7037e0 32 API calls std::_Xinvalid_argument 83534->84034 83538 6c6d709e 83537->83538 83542 6c6d70d1 83537->83542 84038 6c7001f0 83538->84038 83540 6c6d7183 83540->83369 83542->83540 84042 6c702250 30 API calls 83542->84042 83543 6c841088 67 API calls 83543->83542 83545 6c6d71ae 84043 6c702340 24 API calls 83545->84043 83547 6c6d71be 84044 6c8398e9 RaiseException 83547->84044 83549 6c6d71c9 83551 6c6fe04b 83550->83551 83552 6c7001f0 64 API calls 83551->83552 83555 6c6fe0a3 83551->83555 83553 6c6fe098 83552->83553 83554 6c841088 67 API calls 83553->83554 83554->83555 83555->83369 83556->83364 83558 6c83563a 83557->83558 83559 6c8355f0 WaitForSingleObject CloseHandle CloseHandle 83558->83559 83560 6c835653 83558->83560 83559->83558 83560->83373 83561->83387 83563 6c835f27 83562->83563 84090 6c836560 83563->84090 83565 6c835f38 83566 6c6d6ba0 104 API calls 83565->83566 83576 6c835f5c 83566->83576 83567 6c835fd7 83568 6c6fe010 67 API calls 83567->83568 83569 6c83600f std::ios_base::_Ios_base_dtor 83568->83569 83571 6c6fe010 67 API calls 83569->83571 83573 6c836052 std::ios_base::_Ios_base_dtor 83571->83573 83572 6c835fc4 84127 6c836100 83572->84127 83573->83424 83576->83567 83576->83572 84109 6c8368b0 83576->84109 84117 6c712370 83576->84117 83577 6c835fcc 83578 6c6d7090 77 API calls 83577->83578 83578->83567 83579->83415 83581 6c835810 std::locale::_Setgloballocale 83580->83581 83582 6c8357e7 CloseHandle 83581->83582 83583 6c835890 Process32NextW 83581->83583 83584 6c835921 83581->83584 83585 6c8358b5 Process32FirstW 83581->83585 83582->83581 83583->83581 83584->83344 83585->83581 83586->83361 83588->83343 83589->83477 83590->83484 83591->83486 83592->83479 83593->83482 83595 6c80bcb3 _Yarn __wsopen_s std::locale::_Setgloballocale 83594->83595 83596 6c80c6f0 83595->83596 83597 6c80c25d CreateFileA 83595->83597 83599 6c80afa0 83595->83599 83596->83504 83597->83595 83602 6c80afb3 __wsopen_s std::locale::_Setgloballocale 83599->83602 83600 6c80b959 WriteFile 83600->83602 83601 6c80b9ad WriteFile 83601->83602 83602->83600 83602->83601 83603 6c80bc88 83602->83603 83604 6c80b105 ReadFile 83602->83604 83603->83595 83604->83602 83606 6c836fb3 std::_Facet_Register 4 API calls 83605->83606 83607 6c70207e 83606->83607 83608 6c837897 43 API calls 83607->83608 83609 6c702092 83608->83609 83644 6c702f60 42 API calls 4 library calls 83609->83644 83611 6c7020c8 83612 6c702136 83611->83612 83614 6c70210d 83611->83614 83646 6c702250 30 API calls 83612->83646 83613 6c702120 83613->83511 83614->83613 83645 6c8374fe 9 API calls 2 library calls 83614->83645 83617 6c70215b 83647 6c702340 24 API calls 83617->83647 83619 6c702171 83648 6c8398e9 RaiseException 83619->83648 83621 6c70217c 83621->83511 83623 6c8378a3 __EH_prolog3 83622->83623 83649 6c837425 83623->83649 83626 6c8378df 83655 6c837456 83626->83655 83629 6c8378c1 83663 6c83792a 39 API calls std::locale::_Setgloballocale 83629->83663 83630 6c83791c 83630->83515 83632 6c8378c9 83664 6c837721 HeapFree GetLastError _Yarn 83632->83664 83635 6c6d6d5d 83634->83635 83636 6c701ddc 83634->83636 83635->83518 83641 6c702250 30 API calls 83635->83641 83669 6c8379b7 83636->83669 83640 6c701e82 83641->83520 83642->83522 83643->83524 83644->83611 83645->83613 83646->83617 83647->83619 83648->83621 83650 6c837434 83649->83650 83652 6c83743b 83649->83652 83665 6c84093d 6 API calls std::_Lockit::_Lockit 83650->83665 83653 6c837439 83652->83653 83666 6c838afb EnterCriticalSection 83652->83666 83653->83626 83662 6c8377a0 6 API calls 2 library calls 83653->83662 83656 6c837460 83655->83656 83657 6c84094b 83655->83657 83658 6c837473 83656->83658 83667 6c838b09 LeaveCriticalSection 83656->83667 83668 6c840926 LeaveCriticalSection 83657->83668 83658->83630 83661 6c840952 83661->83630 83662->83629 83663->83632 83664->83626 83665->83653 83666->83653 83667->83658 83668->83661 83670 6c8379c0 83669->83670 83672 6c701dea 83670->83672 83678 6c8402ba 83670->83678 83672->83635 83677 6c83cad3 18 API calls __Getctype 83672->83677 83673 6c837a0c 83673->83672 83689 6c83ffc8 65 API calls 83673->83689 83675 6c837a27 83675->83672 83690 6c841088 83675->83690 83677->83640 83679 6c8402c5 __wsopen_s 83678->83679 83680 6c8402d8 83679->83680 83682 6c8402f8 83679->83682 83715 6c840690 18 API calls __Getctype 83680->83715 83685 6c8402e8 83682->83685 83701 6c84b37c 83682->83701 83685->83673 83689->83675 83691 6c841094 __wsopen_s 83690->83691 83692 6c8410b3 83691->83692 83693 6c84109e 83691->83693 83700 6c8410ae 83692->83700 83896 6c83cb19 EnterCriticalSection 83692->83896 83911 6c840690 18 API calls __Getctype 83693->83911 83695 6c8410d0 83897 6c84110c 83695->83897 83698 6c8410db 83912 6c841102 LeaveCriticalSection 83698->83912 83700->83672 83702 6c84b388 __wsopen_s 83701->83702 83717 6c84090f EnterCriticalSection 83702->83717 83704 6c84b396 83718 6c84b420 83704->83718 83709 6c84b4e2 83710 6c84b601 83709->83710 83742 6c84b684 83710->83742 83713 6c84033c 83716 6c840365 LeaveCriticalSection 83713->83716 83715->83685 83716->83685 83717->83704 83727 6c84b443 83718->83727 83719 6c84b3a3 83732 6c84b3dc 83719->83732 83720 6c84b49b 83737 6c847755 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 83720->83737 83722 6c84b4a4 83738 6c844d2b HeapFree GetLastError __dosmaperr 83722->83738 83725 6c84b4ad 83725->83719 83739 6c84718f 6 API calls std::_Lockit::_Lockit 83725->83739 83727->83719 83727->83720 83735 6c83cb19 EnterCriticalSection 83727->83735 83736 6c83cb2d LeaveCriticalSection 83727->83736 83728 6c84b4cc 83740 6c83cb19 EnterCriticalSection 83728->83740 83731 6c84b4df 83731->83719 83741 6c840926 LeaveCriticalSection 83732->83741 83734 6c840313 83734->83685 83734->83709 83735->83727 83736->83727 83737->83722 83738->83725 83739->83728 83740->83731 83741->83734 83743 6c84b6a3 83742->83743 83744 6c84b6b6 83743->83744 83748 6c84b6cb 83743->83748 83758 6c840690 18 API calls __Getctype 83744->83758 83746 6c84b617 83746->83713 83755 6c85454e 83746->83755 83753 6c84b7eb 83748->83753 83759 6c854418 37 API calls __Getctype 83748->83759 83750 6c84b83b 83750->83753 83760 6c854418 37 API calls __Getctype 83750->83760 83752 6c84b859 83752->83753 83761 6c854418 37 API calls __Getctype 83752->83761 83753->83746 83762 6c840690 18 API calls __Getctype 83753->83762 83763 6c854906 83755->83763 83758->83746 83759->83750 83760->83752 83761->83753 83762->83746 83765 6c854912 __wsopen_s 83763->83765 83764 6c854919 83781 6c840690 18 API calls __Getctype 83764->83781 83765->83764 83766 6c854944 83765->83766 83772 6c85456e 83766->83772 83771 6c854569 83771->83713 83783 6c840c3b 83772->83783 83777 6c8545a4 83779 6c8545d6 83777->83779 83823 6c844d2b HeapFree GetLastError __dosmaperr 83777->83823 83782 6c85499b LeaveCriticalSection __wsopen_s 83779->83782 83781->83771 83782->83771 83824 6c83c25b 83783->83824 83786 6c840c5f 83788 6c83c366 83786->83788 83833 6c83c3be 83788->83833 83790 6c83c37e 83790->83777 83791 6c8545dc 83790->83791 83848 6c854a5c 83791->83848 83797 6c85460e __dosmaperr 83797->83777 83798 6c854702 GetFileType 83799 6c854754 83798->83799 83800 6c85470d GetLastError 83798->83800 83878 6c851d20 SetStdHandle __dosmaperr __wsopen_s 83799->83878 83877 6c83ff62 __dosmaperr 83800->83877 83801 6c8546d7 GetLastError 83801->83797 83803 6c854685 83803->83798 83803->83801 83876 6c8549c7 CreateFileW 83803->83876 83805 6c85471b CloseHandle 83805->83797 83820 6c854744 83805->83820 83806 6c8546ca 83806->83798 83806->83801 83808 6c854775 83809 6c8547c1 83808->83809 83879 6c854bd6 70 API calls 2 library calls 83808->83879 83813 6c8547c8 83809->83813 83893 6c854c80 70 API calls 2 library calls 83809->83893 83812 6c8547f6 83812->83813 83814 6c854804 83812->83814 83880 6c84be95 83813->83880 83814->83797 83816 6c854880 CloseHandle 83814->83816 83894 6c8549c7 CreateFileW 83816->83894 83818 6c8548ab 83819 6c8548b5 GetLastError 83818->83819 83818->83820 83821 6c8548c1 __dosmaperr 83819->83821 83820->83797 83895 6c851c8f SetStdHandle __dosmaperr __wsopen_s 83821->83895 83823->83779 83825 6c83c27b 83824->83825 83826 6c83c272 83824->83826 83825->83826 83827 6c844f22 __Getctype 37 API calls 83825->83827 83826->83786 83832 6c846f45 5 API calls std::_Lockit::_Lockit 83826->83832 83828 6c83c29b 83827->83828 83829 6c845498 __Getctype 37 API calls 83828->83829 83830 6c83c2b1 83829->83830 83831 6c8454c5 __fassign 37 API calls 83830->83831 83831->83826 83832->83786 83834 6c83c3e6 83833->83834 83835 6c83c3cc 83833->83835 83836 6c83c3ed 83834->83836 83837 6c83c40c 83834->83837 83838 6c83c34c __wsopen_s HeapFree GetLastError 83835->83838 83840 6c83c30d __wsopen_s HeapFree GetLastError 83836->83840 83847 6c83c3d6 __dosmaperr 83836->83847 83839 6c844db3 __fassign MultiByteToWideChar 83837->83839 83838->83847 83841 6c83c41b 83839->83841 83840->83847 83842 6c83c422 GetLastError 83841->83842 83843 6c83c448 83841->83843 83845 6c83c30d __wsopen_s HeapFree GetLastError 83841->83845 83842->83847 83844 6c844db3 __fassign MultiByteToWideChar 83843->83844 83843->83847 83846 6c83c45f 83844->83846 83845->83843 83846->83842 83846->83847 83847->83790 83849 6c854a97 83848->83849 83850 6c854a7d 83848->83850 83851 6c8549ec __wsopen_s 18 API calls 83849->83851 83850->83849 83852 6c840690 __Getctype 18 API calls 83850->83852 83855 6c854acf 83851->83855 83852->83849 83853 6c854afe 83854 6c855e81 __wsopen_s 18 API calls 83853->83854 83859 6c8545f9 83853->83859 83856 6c854b4c 83854->83856 83855->83853 83858 6c840690 __Getctype 18 API calls 83855->83858 83857 6c854bc9 83856->83857 83856->83859 83860 6c8406bd __Getctype 11 API calls 83857->83860 83858->83853 83859->83797 83862 6c851b7c 83859->83862 83861 6c854bd5 83860->83861 83863 6c851b88 __wsopen_s 83862->83863 83864 6c84090f std::_Lockit::_Lockit EnterCriticalSection 83863->83864 83865 6c851b8f 83864->83865 83867 6c851bb4 83865->83867 83871 6c851c23 EnterCriticalSection 83865->83871 83873 6c851bd6 83865->83873 83866 6c851c86 __wsopen_s LeaveCriticalSection 83868 6c851bf6 83866->83868 83869 6c851db2 __wsopen_s 11 API calls 83867->83869 83868->83797 83875 6c8549c7 CreateFileW 83868->83875 83870 6c851bb9 83869->83870 83872 6c851f00 __wsopen_s EnterCriticalSection 83870->83872 83870->83873 83871->83873 83874 6c851c30 LeaveCriticalSection 83871->83874 83872->83873 83873->83866 83874->83865 83875->83803 83876->83806 83877->83805 83878->83808 83879->83809 83881 6c851b12 __wsopen_s 18 API calls 83880->83881 83882 6c84bea5 83881->83882 83883 6c84beab 83882->83883 83885 6c84bedd 83882->83885 83887 6c851b12 __wsopen_s 18 API calls 83882->83887 83884 6c851c8f __wsopen_s SetStdHandle 83883->83884 83892 6c84bf03 __dosmaperr 83884->83892 83885->83883 83886 6c851b12 __wsopen_s 18 API calls 83885->83886 83888 6c84bee9 CloseHandle 83886->83888 83889 6c84bed4 83887->83889 83888->83883 83890 6c84bef5 GetLastError 83888->83890 83891 6c851b12 __wsopen_s 18 API calls 83889->83891 83890->83883 83891->83885 83892->83797 83893->83812 83894->83818 83895->83820 83896->83695 83898 6c84112e 83897->83898 83899 6c841119 83897->83899 83901 6c841129 83898->83901 83913 6c841229 83898->83913 83935 6c840690 18 API calls __Getctype 83899->83935 83901->83698 83907 6c841151 83928 6c84be08 83907->83928 83909 6c841157 83909->83901 83936 6c844d2b HeapFree GetLastError __dosmaperr 83909->83936 83911->83700 83912->83700 83914 6c841241 83913->83914 83918 6c841143 83913->83918 83915 6c84a1d0 18 API calls 83914->83915 83914->83918 83916 6c84125f 83915->83916 83937 6c84c0dc 83916->83937 83919 6c848cae 83918->83919 83920 6c848cc5 83919->83920 83921 6c84114b 83919->83921 83920->83921 84020 6c844d2b HeapFree GetLastError __dosmaperr 83920->84020 83923 6c84a1d0 83921->83923 83924 6c84a1f1 83923->83924 83925 6c84a1dc 83923->83925 83924->83907 84021 6c840690 18 API calls __Getctype 83925->84021 83927 6c84a1ec 83927->83907 83929 6c84be2e 83928->83929 83933 6c84be19 __dosmaperr 83928->83933 83930 6c84be55 83929->83930 83932 6c84be77 __dosmaperr 83929->83932 84022 6c84bf31 83930->84022 84030 6c840690 18 API calls __Getctype 83932->84030 83933->83909 83935->83901 83936->83901 83938 6c84c0e8 __wsopen_s 83937->83938 83939 6c84c13a 83938->83939 83941 6c84c1a3 __dosmaperr 83938->83941 83944 6c84c0f0 __dosmaperr 83938->83944 83948 6c851f00 EnterCriticalSection 83939->83948 83978 6c840690 18 API calls __Getctype 83941->83978 83942 6c84c140 83946 6c84c15c __dosmaperr 83942->83946 83949 6c84c1ce 83942->83949 83944->83918 83977 6c84c19b LeaveCriticalSection __wsopen_s 83946->83977 83948->83942 83950 6c84c1f0 83949->83950 83976 6c84c20c __dosmaperr 83949->83976 83951 6c84c244 83950->83951 83954 6c84c1f4 __dosmaperr 83950->83954 83952 6c84c257 83951->83952 83987 6c84b1d9 20 API calls __wsopen_s 83951->83987 83979 6c84c3b0 83952->83979 83986 6c840690 18 API calls __Getctype 83954->83986 83958 6c84c2ac 83962 6c84c305 WriteFile 83958->83962 83963 6c84c2c0 83958->83963 83959 6c84c26d 83960 6c84c296 83959->83960 83961 6c84c271 83959->83961 83989 6c84c421 43 API calls 5 library calls 83960->83989 83961->83976 83988 6c84c7cb 6 API calls __wsopen_s 83961->83988 83965 6c84c329 GetLastError 83962->83965 83962->83976 83966 6c84c2f5 83963->83966 83967 6c84c2cb 83963->83967 83965->83976 83992 6c84c833 7 API calls 2 library calls 83966->83992 83968 6c84c2e5 83967->83968 83969 6c84c2d0 83967->83969 83991 6c84c9f7 8 API calls 3 library calls 83968->83991 83972 6c84c2d5 83969->83972 83969->83976 83990 6c84c90e 7 API calls 2 library calls 83972->83990 83974 6c84c2e3 83974->83976 83976->83946 83977->83944 83978->83944 83980 6c851f55 __wsopen_s 18 API calls 83979->83980 83981 6c84c3c1 83980->83981 83985 6c84c268 83981->83985 83993 6c844f22 GetLastError 83981->83993 83984 6c84c3fe GetConsoleMode 83984->83985 83985->83958 83985->83959 83986->83976 83987->83952 83988->83976 83989->83976 83990->83974 83991->83974 83992->83974 83994 6c844f3f 83993->83994 83995 6c844f39 83993->83995 83996 6c8470d2 __Getctype 6 API calls 83994->83996 84000 6c844f45 SetLastError 83994->84000 83997 6c847093 __Getctype 6 API calls 83995->83997 83998 6c844f5d 83996->83998 83997->83994 83999 6c844f61 83998->83999 83998->84000 84001 6c847755 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 83999->84001 84006 6c844fd3 84000->84006 84007 6c844fd9 84000->84007 84003 6c844f6d 84001->84003 84004 6c844f75 84003->84004 84005 6c844f8c 84003->84005 84008 6c8470d2 __Getctype 6 API calls 84004->84008 84010 6c8470d2 __Getctype 6 API calls 84005->84010 84006->83984 84006->83985 84009 6c841039 __Getctype 35 API calls 84007->84009 84011 6c844f83 84008->84011 84012 6c844fde 84009->84012 84013 6c844f98 84010->84013 84017 6c844d2b _free HeapFree GetLastError 84011->84017 84014 6c844f9c 84013->84014 84015 6c844fad 84013->84015 84016 6c8470d2 __Getctype 6 API calls 84014->84016 84019 6c844d2b _free HeapFree GetLastError 84015->84019 84016->84011 84018 6c844f89 84017->84018 84018->84000 84019->84018 84020->83921 84021->83927 84023 6c84bf3d __wsopen_s 84022->84023 84031 6c851f00 EnterCriticalSection 84023->84031 84025 6c84bf4b 84026 6c84be95 __wsopen_s 21 API calls 84025->84026 84027 6c84bf78 84025->84027 84026->84027 84032 6c84bfb1 LeaveCriticalSection __wsopen_s 84027->84032 84029 6c84bf9a 84029->83933 84030->83933 84031->84025 84032->84029 84033->83531 84034->83533 84035->83531 84036->83531 84037->83531 84039 6c70022e 84038->84039 84040 6c6d70c4 84039->84040 84045 6c841d4b 84039->84045 84040->83543 84042->83545 84043->83547 84044->83549 84046 6c841d76 84045->84046 84047 6c841d59 84045->84047 84046->84039 84047->84046 84048 6c841d66 84047->84048 84049 6c841d7a 84047->84049 84061 6c840690 18 API calls __Getctype 84048->84061 84053 6c841f72 84049->84053 84054 6c841f7e __wsopen_s 84053->84054 84062 6c83cb19 EnterCriticalSection 84054->84062 84056 6c841f8c 84063 6c841f2f 84056->84063 84060 6c841dac 84060->84039 84061->84046 84062->84056 84071 6c848b16 84063->84071 84069 6c841f69 84070 6c841fc1 LeaveCriticalSection 84069->84070 84070->84060 84072 6c84a1d0 18 API calls 84071->84072 84073 6c848b27 84072->84073 84074 6c851f55 __wsopen_s 18 API calls 84073->84074 84075 6c848b2d __wsopen_s 84074->84075 84076 6c841f43 84075->84076 84088 6c844d2b HeapFree GetLastError __dosmaperr 84075->84088 84078 6c841dae 84076->84078 84080 6c841dc0 84078->84080 84082 6c841dde 84078->84082 84079 6c841dce 84089 6c840690 18 API calls __Getctype 84079->84089 84080->84079 84080->84082 84085 6c841df6 _Yarn 84080->84085 84087 6c848bc9 62 API calls 84082->84087 84083 6c841229 62 API calls 84083->84085 84084 6c84a1d0 18 API calls 84084->84085 84085->84082 84085->84083 84085->84084 84086 6c84c0dc __wsopen_s 62 API calls 84085->84086 84086->84085 84087->84069 84088->84076 84089->84082 84091 6c836595 84090->84091 84092 6c702020 52 API calls 84091->84092 84093 6c836636 84092->84093 84094 6c836fb3 std::_Facet_Register 4 API calls 84093->84094 84095 6c83666e 84094->84095 84096 6c837897 43 API calls 84095->84096 84097 6c836682 84096->84097 84098 6c701d90 89 API calls 84097->84098 84099 6c83672b 84098->84099 84100 6c83675c 84099->84100 84142 6c702250 30 API calls 84099->84142 84100->83565 84102 6c836796 84143 6c7026e0 24 API calls 4 library calls 84102->84143 84104 6c8367a8 84144 6c8398e9 RaiseException 84104->84144 84106 6c8367bd 84107 6c6fe010 67 API calls 84106->84107 84108 6c8367cf 84107->84108 84108->83565 84110 6c8368fd 84109->84110 84145 6c836b10 84110->84145 84113 6c8369ec 84113->83576 84116 6c836915 84116->84113 84163 6c702250 30 API calls 84116->84163 84164 6c7026e0 24 API calls 4 library calls 84116->84164 84165 6c8398e9 RaiseException 84116->84165 84118 6c7123af 84117->84118 84121 6c7123c3 84118->84121 84174 6c703560 32 API calls std::_Xinvalid_argument 84118->84174 84124 6c71247e 84121->84124 84176 6c702250 30 API calls 84121->84176 84177 6c7026e0 24 API calls 4 library calls 84121->84177 84178 6c8398e9 RaiseException 84121->84178 84123 6c712491 84123->83576 84124->84123 84175 6c7037e0 32 API calls std::_Xinvalid_argument 84124->84175 84128 6c83610e 84127->84128 84132 6c836141 84127->84132 84129 6c7001f0 64 API calls 84128->84129 84131 6c836134 84129->84131 84130 6c8361f3 84130->83577 84133 6c841088 67 API calls 84131->84133 84132->84130 84179 6c702250 30 API calls 84132->84179 84133->84132 84135 6c83621e 84180 6c702340 24 API calls 84135->84180 84137 6c83622e 84181 6c8398e9 RaiseException 84137->84181 84139 6c836239 84140 6c6fe010 67 API calls 84139->84140 84141 6c836292 std::ios_base::_Ios_base_dtor 84140->84141 84141->83577 84142->84102 84143->84104 84144->84106 84146 6c836b78 84145->84146 84147 6c836b4c 84145->84147 84153 6c836b89 84146->84153 84166 6c703560 32 API calls std::_Xinvalid_argument 84146->84166 84161 6c836b71 84147->84161 84168 6c702250 30 API calls 84147->84168 84150 6c836d58 84169 6c702340 24 API calls 84150->84169 84152 6c836d67 84170 6c8398e9 RaiseException 84152->84170 84153->84161 84167 6c702f60 42 API calls 4 library calls 84153->84167 84157 6c836d97 84172 6c702340 24 API calls 84157->84172 84159 6c836dad 84173 6c8398e9 RaiseException 84159->84173 84161->84116 84162 6c836bc3 84162->84161 84171 6c702250 30 API calls 84162->84171 84163->84116 84164->84116 84165->84116 84166->84153 84167->84162 84168->84150 84169->84152 84170->84162 84171->84157 84172->84159 84173->84161 84174->84121 84175->84123 84176->84121 84177->84121 84178->84121 84179->84135 84180->84137 84181->84139 84182 6c6b3d62 84185 6c6b3bc0 84182->84185 84183 6c6b3e8a GetCurrentThread NtSetInformationThread 84184 6c6b3eea 84183->84184 84185->84183 84186 6c6c4a27 84190 6c6c4a5d _strlen 84186->84190 84187 6c6d639e 84277 6c8406a0 18 API calls __Getctype 84187->84277 84188 6c6c5b6f 84192 6c836fb3 std::_Facet_Register 4 API calls 84188->84192 84189 6c6c5b58 84191 6c836fb3 std::_Facet_Register 4 API calls 84189->84191 84190->84187 84190->84188 84190->84189 84194 6c6c5b09 _Yarn 84190->84194 84191->84194 84192->84194 84195 6c82b430 2 API calls 84194->84195 84198 6c6c5bad std::ios_base::_Ios_base_dtor 84195->84198 84196 6c835560 4 API calls 84206 6c6c61cb _strlen 84196->84206 84197 6c836fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 84200 6c6c9ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 84197->84200 84198->84187 84198->84196 84198->84200 84199 6c82b430 2 API calls 84199->84200 84200->84187 84200->84197 84200->84199 84201 6c6ca292 Sleep 84200->84201 84208 6c6ce619 84200->84208 84211 6c6c9bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 84201->84211 84202 6c6c660d 84204 6c836fb3 std::_Facet_Register 4 API calls 84202->84204 84203 6c6c6624 84205 6c836fb3 std::_Facet_Register 4 API calls 84203->84205 84212 6c6c65bc _Yarn _strlen 84204->84212 84205->84212 84206->84187 84206->84202 84206->84203 84206->84212 84207 6c835560 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 84207->84211 84221 6c6cf243 CreateFileA 84208->84221 84209 6c6c9bbd GetCurrentProcess TerminateProcess 84209->84200 84210 6c6d63b2 84278 6c6b15e0 18 API calls std::ios_base::_Ios_base_dtor 84210->84278 84211->84187 84211->84200 84211->84207 84211->84209 84211->84210 84252 6c836fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 84211->84252 84267 6c835ed0 104 API calls 84211->84267 84212->84210 84214 6c6c6920 _Yarn 84212->84214 84216 6c6c6989 84212->84216 84217 6c6c6970 84212->84217 84220 6c835ed0 104 API calls 84214->84220 84215 6c6d64f8 84219 6c836fb3 std::_Facet_Register 4 API calls 84216->84219 84218 6c836fb3 std::_Facet_Register 4 API calls 84217->84218 84218->84214 84219->84214 84222 6c6c69d6 std::ios_base::_Ios_base_dtor _strlen 84220->84222 84236 6c6cf2a7 84221->84236 84222->84187 84223 6c6c6dbb 84222->84223 84224 6c6c6dd2 84222->84224 84235 6c6c6d69 _Yarn _strlen 84222->84235 84226 6c836fb3 std::_Facet_Register 4 API calls 84223->84226 84227 6c836fb3 std::_Facet_Register 4 API calls 84224->84227 84225 6c6d02ca 84226->84235 84227->84235 84228 6c6c7427 84230 6c836fb3 std::_Facet_Register 4 API calls 84228->84230 84229 6c6c7440 84231 6c836fb3 std::_Facet_Register 4 API calls 84229->84231 84232 6c6c73da _Yarn 84230->84232 84231->84232 84234 6c835ed0 104 API calls 84232->84234 84233 6c6d02ac GetCurrentProcess TerminateProcess 84233->84225 84237 6c6c748d std::ios_base::_Ios_base_dtor _strlen 84234->84237 84235->84210 84235->84228 84235->84229 84235->84232 84236->84225 84236->84233 84237->84187 84238 6c6c79a8 84237->84238 84239 6c6c7991 84237->84239 84244 6c6c7940 _Yarn _strlen 84237->84244 84241 6c836fb3 std::_Facet_Register 4 API calls 84238->84241 84240 6c836fb3 std::_Facet_Register 4 API calls 84239->84240 84240->84244 84241->84244 84242 6c6c7dc9 84245 6c836fb3 std::_Facet_Register 4 API calls 84242->84245 84243 6c6c7de2 84246 6c836fb3 std::_Facet_Register 4 API calls 84243->84246 84244->84210 84244->84242 84244->84243 84247 6c6c7d7c _Yarn 84244->84247 84245->84247 84246->84247 84248 6c835ed0 104 API calls 84247->84248 84249 6c6c7e2f std::ios_base::_Ios_base_dtor _strlen 84248->84249 84249->84187 84250 6c6c85bf 84249->84250 84251 6c6c85a8 84249->84251 84260 6c6c8556 _Yarn _strlen 84249->84260 84254 6c836fb3 std::_Facet_Register 4 API calls 84250->84254 84253 6c836fb3 std::_Facet_Register 4 API calls 84251->84253 84252->84211 84253->84260 84254->84260 84255 6c6c896a 84257 6c836fb3 std::_Facet_Register 4 API calls 84255->84257 84256 6c6c8983 84258 6c836fb3 std::_Facet_Register 4 API calls 84256->84258 84259 6c6c891d _Yarn 84257->84259 84258->84259 84261 6c835ed0 104 API calls 84259->84261 84260->84210 84260->84255 84260->84256 84260->84259 84262 6c6c89d0 std::ios_base::_Ios_base_dtor _strlen 84261->84262 84262->84187 84263 6c6c8f1f 84262->84263 84264 6c6c8f36 84262->84264 84268 6c6c8ecd _Yarn _strlen 84262->84268 84266 6c836fb3 std::_Facet_Register 4 API calls 84263->84266 84265 6c836fb3 std::_Facet_Register 4 API calls 84264->84265 84265->84268 84266->84268 84267->84211 84268->84210 84269 6c6c936d 84268->84269 84270 6c6c9354 84268->84270 84273 6c6c9307 _Yarn 84268->84273 84272 6c836fb3 std::_Facet_Register 4 API calls 84269->84272 84271 6c836fb3 std::_Facet_Register 4 API calls 84270->84271 84271->84273 84272->84273 84274 6c835ed0 104 API calls 84273->84274 84276 6c6c93ba std::ios_base::_Ios_base_dtor 84274->84276 84275 6c835560 4 API calls 84275->84200 84276->84187 84276->84275 84278->84215 84279 6c83f4af 84280 6c83f4bb __wsopen_s 84279->84280 84281 6c83f4c2 GetLastError ExitThread 84280->84281 84282 6c83f4cf 84280->84282 84283 6c844f22 __Getctype 37 API calls 84282->84283 84284 6c83f4d4 84283->84284 84291 6c84a2d6 84284->84291 84287 6c83f4eb 84297 6c83f41a 16 API calls 2 library calls 84287->84297 84290 6c83f50d 84292 6c84a2e8 GetPEB 84291->84292 84295 6c83f4df 84291->84295 84293 6c84a2fb 84292->84293 84292->84295 84298 6c847388 5 API calls std::_Lockit::_Lockit 84293->84298 84295->84287 84296 6c8472df 5 API calls std::_Lockit::_Lockit 84295->84296 84296->84287 84297->84290 84298->84295 84299 6c6cf150 84301 6c6cefbe 84299->84301 84300 6c6cf243 CreateFileA 84304 6c6cf2a7 84300->84304 84301->84300 84302 6c6d02ca 84303 6c6d02ac GetCurrentProcess TerminateProcess 84303->84302 84304->84302 84304->84303 84305 6c6c3b72 84306 6c836fb3 std::_Facet_Register 4 API calls 84305->84306 84308 6c6c37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 84306->84308 84307 6c82b430 2 API calls 84307->84308 84308->84307 84310 6c6d6ba0 104 API calls 84308->84310 84311 6c6d6e60 32 API calls 84308->84311 84312 6c6d7090 77 API calls 84308->84312 84313 6c6fe010 67 API calls 84308->84313 84314 6c6d639e 84308->84314 84310->84308 84311->84308 84312->84308 84313->84308 84318 6c8406a0 18 API calls __Getctype 84314->84318

                            Executed Functions

                            Function 6C6B4754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: HR^
                            • API String ID: 4218353326-1341859651
                            • Opcode ID: 072a62794dae36b6e1ac4a20b4a2b999ee5632e0b9821eb08324961fb2cbe7b7
                            • Instruction ID: ab63dd332aa29559103cae06b4b282ce6d1eb1c30145050953b18d51da6b8faf
                            • Opcode Fuzzy Hash: 072a62794dae36b6e1ac4a20b4a2b999ee5632e0b9821eb08324961fb2cbe7b7
                            • Instruction Fuzzy Hash: 35741671644B028FC728CF28C8D06D5B7F3EF95318B198A6DC0AA8BB55E774B54ACB44
                            Function 6C6C4A27 Relevance: 61.3, APIs: 25, Strings: 3, Instructions: 12265COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: }jk$;T55$L@^
                            • API String ID: 0-4218709813
                            • Opcode ID: 02e08b934de04f13df0d65694c8f602b43aaa03f38fa1bd341ffec61e976cd4e
                            • Instruction ID: 0e033e89b9c179322bf6a26d8a201ea1f9db00dcb067757c9e8d6701db93078c
                            • Opcode Fuzzy Hash: 02e08b934de04f13df0d65694c8f602b43aaa03f38fa1bd341ffec61e976cd4e
                            • Instruction Fuzzy Hash: E1341771745B018FC728CF28C8D0695B7F3EF95318B198A2DC0AA8BB55EB74B44ACB45
                            Function 6C8357B0 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7677 6c8357b0-6c8357e5 CreateToolhelp32Snapshot 7678 6c835810-6c835819 7677->7678 7679 6c835850-6c835855 7678->7679 7680 6c83581b-6c835820 7678->7680 7683 6c8358e7-6c835911 call 6c843175 7679->7683 7684 6c83585b-6c835860 7679->7684 7681 6c835822-6c835827 7680->7681 7682 6c835885-6c83588a 7680->7682 7686 6c8358a4-6c8358cd call 6c83be90 Process32FirstW 7681->7686 7687 6c835829-6c83582e 7681->7687 7690 6c835890-6c8358a2 Process32NextW 7682->7690 7691 6c835916-6c83591b 7682->7691 7683->7678 7688 6c835862-6c835867 7684->7688 7689 6c8357e7-6c835802 CloseHandle 7684->7689 7692 6c8358d2-6c8358e2 7686->7692 7687->7678 7696 6c835830-6c835841 7687->7696 7688->7678 7697 6c835869-6c835883 7688->7697 7689->7678 7690->7692 7691->7678 7695 6c835921-6c83592f 7691->7695 7692->7678 7696->7678 7697->7678
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C8357BE
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CreateSnapshotToolhelp32
                            • String ID:
                            • API String ID: 3332741929-0
                            • Opcode ID: e14b9961e99fe14fff44bc0cb81ae3ee69879ec86ca2c65157f7535361f295a8
                            • Instruction ID: e09e9d85007bc9769846847aeef1d0b4bc6d8ac44cfa21e28872c646b8a378a2
                            • Opcode Fuzzy Hash: e14b9961e99fe14fff44bc0cb81ae3ee69879ec86ca2c65157f7535361f295a8
                            • Instruction Fuzzy Hash: EB316D74618310DBD7209FA9C988B0BBBF4AF95744F506D2EE88CC7760D37199488B92
                            Function 6C6B3886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7821 6c6b3886-6c6b388e 7822 6c6b3970-6c6b397d 7821->7822 7823 6c6b3894-6c6b3896 7821->7823 7825 6c6b397f-6c6b3989 7822->7825 7826 6c6b39f1-6c6b39f8 7822->7826 7823->7822 7824 6c6b389c-6c6b38b9 7823->7824 7829 6c6b38c0-6c6b38c1 7824->7829 7825->7824 7830 6c6b398f-6c6b3994 7825->7830 7827 6c6b39fe-6c6b3a03 7826->7827 7828 6c6b3ab5-6c6b3aba 7826->7828 7831 6c6b3a09-6c6b3a2f 7827->7831 7832 6c6b38d2-6c6b38d4 7827->7832 7828->7824 7834 6c6b3ac0-6c6b3ac7 7828->7834 7833 6c6b395e 7829->7833 7835 6c6b399a-6c6b399f 7830->7835 7836 6c6b3b16-6c6b3b18 7830->7836 7837 6c6b38f8-6c6b3955 7831->7837 7838 6c6b3a35-6c6b3a3a 7831->7838 7839 6c6b3957-6c6b395c 7832->7839 7840 6c6b3960-6c6b3964 7833->7840 7834->7829 7841 6c6b3acd-6c6b3ad6 7834->7841 7842 6c6b383b-6c6b3855 call 6c8019e0 call 6c8019f0 7835->7842 7843 6c6b39a5-6c6b39bf 7835->7843 7836->7829 7837->7839 7845 6c6b3b1d-6c6b3b22 7838->7845 7846 6c6b3a40-6c6b3a57 7838->7846 7839->7833 7848 6c6b396a 7840->7848 7849 6c6b3860-6c6b3885 7840->7849 7841->7836 7850 6c6b3ad8-6c6b3aeb 7841->7850 7842->7849 7844 6c6b3a5a-6c6b3a5d 7843->7844 7853 6c6b3aa9-6c6b3ab0 7844->7853 7851 6c6b3b49-6c6b3b50 7845->7851 7852 6c6b3b24-6c6b3b44 7845->7852 7846->7844 7855 6c6b3ba1-6c6b3bb6 7848->7855 7849->7821 7850->7837 7856 6c6b3af1-6c6b3af8 7850->7856 7851->7829 7859 6c6b3b56-6c6b3b5d 7851->7859 7852->7853 7853->7840 7860 6c6b3bc0-6c6b3bda call 6c8019e0 call 6c8019f0 7855->7860 7862 6c6b3afa-6c6b3aff 7856->7862 7863 6c6b3b62-6c6b3b85 7856->7863 7859->7840 7872 6c6b3be0-6c6b3bfe 7860->7872 7862->7839 7863->7837 7866 6c6b3b8b 7863->7866 7866->7855 7875 6c6b3e7b 7872->7875 7876 6c6b3c04-6c6b3c11 7872->7876 7879 6c6b3e81-6c6b3ee0 call 6c6b3750 GetCurrentThread NtSetInformationThread 7875->7879 7877 6c6b3ce0-6c6b3cea 7876->7877 7878 6c6b3c17-6c6b3c20 7876->7878 7882 6c6b3d3a-6c6b3d3c 7877->7882 7883 6c6b3cec-6c6b3d0c 7877->7883 7880 6c6b3c26-6c6b3c2d 7878->7880 7881 6c6b3dc5 7878->7881 7896 6c6b3eea-6c6b3f04 call 6c8019e0 call 6c8019f0 7879->7896 7886 6c6b3dc3 7880->7886 7887 6c6b3c33-6c6b3c3a 7880->7887 7885 6c6b3dc6 7881->7885 7889 6c6b3d3e-6c6b3d45 7882->7889 7890 6c6b3d70-6c6b3d8d 7882->7890 7888 6c6b3d90-6c6b3d95 7883->7888 7894 6c6b3dc8-6c6b3dcc 7885->7894 7886->7881 7892 6c6b3c40-6c6b3c5b 7887->7892 7893 6c6b3e26-6c6b3e2b 7887->7893 7897 6c6b3dba-6c6b3dc1 7888->7897 7898 6c6b3d97-6c6b3db8 7888->7898 7895 6c6b3d50-6c6b3d57 7889->7895 7890->7888 7899 6c6b3e1b-6c6b3e24 7892->7899 7900 6c6b3c7b-6c6b3cd0 7893->7900 7901 6c6b3e31 7893->7901 7894->7872 7902 6c6b3dd2 7894->7902 7895->7885 7915 6c6b3f75-6c6b3fa1 7896->7915 7897->7886 7904 6c6b3dd7-6c6b3ddc 7897->7904 7898->7881 7899->7894 7907 6c6b3e76-6c6b3e79 7899->7907 7900->7895 7901->7860 7902->7907 7905 6c6b3dde-6c6b3e17 7904->7905 7906 6c6b3e36-6c6b3e3d 7904->7906 7905->7899 7910 6c6b3e3f-6c6b3e5a 7906->7910 7911 6c6b3e5c-6c6b3e5f 7906->7911 7907->7879 7910->7899 7911->7900 7913 6c6b3e65-6c6b3e69 7911->7913 7913->7894 7913->7907 7919 6c6b3fa3-6c6b3fa8 7915->7919 7920 6c6b4020-6c6b4026 7915->7920 7921 6c6b3fae-6c6b3fcf 7919->7921 7922 6c6b407c-6c6b4081 7919->7922 7923 6c6b402c-6c6b403c 7920->7923 7924 6c6b3f06-6c6b3f35 7920->7924 7925 6c6b40aa-6c6b40ae 7921->7925 7922->7925 7926 6c6b4083-6c6b408a 7922->7926 7928 6c6b403e-6c6b4058 7923->7928 7929 6c6b40b3-6c6b40b8 7923->7929 7927 6c6b3f38-6c6b3f61 7924->7927 7932 6c6b3f6b-6c6b3f6f 7925->7932 7926->7927 7931 6c6b4090 7926->7931 7934 6c6b3f64-6c6b3f67 7927->7934 7930 6c6b405a-6c6b4063 7928->7930 7929->7921 7933 6c6b40be-6c6b40c9 7929->7933 7935 6c6b4069-6c6b406c 7930->7935 7936 6c6b40f5-6c6b413f 7930->7936 7931->7896 7937 6c6b40a7 7931->7937 7932->7915 7933->7925 7938 6c6b40cb-6c6b40d4 7933->7938 7939 6c6b3f69 7934->7939 7940 6c6b4072-6c6b4077 7935->7940 7941 6c6b4144-6c6b414b 7935->7941 7936->7939 7937->7925 7938->7937 7942 6c6b40d6-6c6b40f0 7938->7942 7939->7932 7940->7934 7941->7932 7942->7930
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6ab124b6c79eb702bc401d2f8b416f14c073be05001ded7901c2df88c3f5067d
                            • Instruction ID: 760c0cbff15f3476d969356e60b5ae0635245f3f9e8dff46c7ef4905726c1020
                            • Opcode Fuzzy Hash: 6ab124b6c79eb702bc401d2f8b416f14c073be05001ded7901c2df88c3f5067d
                            • Instruction Fuzzy Hash: 4F321432345B018FC324CF28C8C06A5B7E3EFD131476A8A6DC0EA6BA55DB74B45ACB54
                            Function 6C6B3A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7969 6c6b3a6a-6c6b3a85 7970 6c6b3a87-6c6b3aa7 7969->7970 7971 6c6b3aa9-6c6b3ab0 7970->7971 7972 6c6b3960-6c6b3964 7971->7972 7973 6c6b396a 7972->7973 7974 6c6b3860-6c6b388e 7972->7974 7975 6c6b3ba1-6c6b3bb6 7973->7975 7983 6c6b3970-6c6b397d 7974->7983 7984 6c6b3894-6c6b3896 7974->7984 7977 6c6b3bc0-6c6b3bda call 6c8019e0 call 6c8019f0 7975->7977 7993 6c6b3be0-6c6b3bfe 7977->7993 7988 6c6b397f-6c6b3989 7983->7988 7989 6c6b39f1-6c6b39f8 7983->7989 7984->7983 7986 6c6b389c-6c6b38b9 7984->7986 7992 6c6b38c0-6c6b38c1 7986->7992 7988->7986 7994 6c6b398f-6c6b3994 7988->7994 7990 6c6b39fe-6c6b3a03 7989->7990 7991 6c6b3ab5-6c6b3aba 7989->7991 7995 6c6b3a09-6c6b3a2f 7990->7995 7996 6c6b38d2-6c6b38d4 7990->7996 7991->7986 7998 6c6b3ac0-6c6b3ac7 7991->7998 7997 6c6b395e 7992->7997 8014 6c6b3e7b 7993->8014 8015 6c6b3c04-6c6b3c11 7993->8015 8000 6c6b399a-6c6b399f 7994->8000 8001 6c6b3b16-6c6b3b18 7994->8001 8002 6c6b38f8-6c6b3955 7995->8002 8003 6c6b3a35-6c6b3a3a 7995->8003 8004 6c6b3957-6c6b395c 7996->8004 7997->7972 7998->7992 8005 6c6b3acd-6c6b3ad6 7998->8005 8007 6c6b383b-6c6b3855 call 6c8019e0 call 6c8019f0 8000->8007 8008 6c6b39a5-6c6b39bf 8000->8008 8001->7992 8002->8004 8010 6c6b3b1d-6c6b3b22 8003->8010 8011 6c6b3a40-6c6b3a57 8003->8011 8004->7997 8005->8001 8013 6c6b3ad8-6c6b3aeb 8005->8013 8007->7974 8009 6c6b3a5a-6c6b3a5d 8008->8009 8009->7971 8016 6c6b3b49-6c6b3b50 8010->8016 8017 6c6b3b24-6c6b3b44 8010->8017 8011->8009 8013->8002 8022 6c6b3af1-6c6b3af8 8013->8022 8021 6c6b3e81-6c6b3ee0 call 6c6b3750 GetCurrentThread NtSetInformationThread 8014->8021 8018 6c6b3ce0-6c6b3cea 8015->8018 8019 6c6b3c17-6c6b3c20 8015->8019 8016->7992 8025 6c6b3b56-6c6b3b5d 8016->8025 8017->7970 8026 6c6b3d3a-6c6b3d3c 8018->8026 8027 6c6b3cec-6c6b3d0c 8018->8027 8023 6c6b3c26-6c6b3c2d 8019->8023 8024 6c6b3dc5 8019->8024 8045 6c6b3eea-6c6b3f04 call 6c8019e0 call 6c8019f0 8021->8045 8030 6c6b3afa-6c6b3aff 8022->8030 8031 6c6b3b62-6c6b3b85 8022->8031 8033 6c6b3dc3 8023->8033 8034 6c6b3c33-6c6b3c3a 8023->8034 8032 6c6b3dc6 8024->8032 8025->7972 8037 6c6b3d3e-6c6b3d45 8026->8037 8038 6c6b3d70-6c6b3d8d 8026->8038 8036 6c6b3d90-6c6b3d95 8027->8036 8030->8004 8031->8002 8035 6c6b3b8b 8031->8035 8043 6c6b3dc8-6c6b3dcc 8032->8043 8033->8024 8041 6c6b3c40-6c6b3c5b 8034->8041 8042 6c6b3e26-6c6b3e2b 8034->8042 8035->7975 8046 6c6b3dba-6c6b3dc1 8036->8046 8047 6c6b3d97-6c6b3db8 8036->8047 8044 6c6b3d50-6c6b3d57 8037->8044 8038->8036 8048 6c6b3e1b-6c6b3e24 8041->8048 8049 6c6b3c7b-6c6b3cd0 8042->8049 8050 6c6b3e31 8042->8050 8043->7993 8051 6c6b3dd2 8043->8051 8044->8032 8064 6c6b3f75-6c6b3fa1 8045->8064 8046->8033 8053 6c6b3dd7-6c6b3ddc 8046->8053 8047->8024 8048->8043 8056 6c6b3e76-6c6b3e79 8048->8056 8049->8044 8050->7977 8051->8056 8054 6c6b3dde-6c6b3e17 8053->8054 8055 6c6b3e36-6c6b3e3d 8053->8055 8054->8048 8059 6c6b3e3f-6c6b3e5a 8055->8059 8060 6c6b3e5c-6c6b3e5f 8055->8060 8056->8021 8059->8048 8060->8049 8062 6c6b3e65-6c6b3e69 8060->8062 8062->8043 8062->8056 8068 6c6b3fa3-6c6b3fa8 8064->8068 8069 6c6b4020-6c6b4026 8064->8069 8070 6c6b3fae-6c6b3fcf 8068->8070 8071 6c6b407c-6c6b4081 8068->8071 8072 6c6b402c-6c6b403c 8069->8072 8073 6c6b3f06-6c6b3f35 8069->8073 8074 6c6b40aa-6c6b40ae 8070->8074 8071->8074 8075 6c6b4083-6c6b408a 8071->8075 8077 6c6b403e-6c6b4058 8072->8077 8078 6c6b40b3-6c6b40b8 8072->8078 8076 6c6b3f38-6c6b3f61 8073->8076 8081 6c6b3f6b-6c6b3f6f 8074->8081 8075->8076 8080 6c6b4090 8075->8080 8083 6c6b3f64-6c6b3f67 8076->8083 8079 6c6b405a-6c6b4063 8077->8079 8078->8070 8082 6c6b40be-6c6b40c9 8078->8082 8084 6c6b4069-6c6b406c 8079->8084 8085 6c6b40f5-6c6b413f 8079->8085 8080->8045 8086 6c6b40a7 8080->8086 8081->8064 8082->8074 8087 6c6b40cb-6c6b40d4 8082->8087 8088 6c6b3f69 8083->8088 8089 6c6b4072-6c6b4077 8084->8089 8090 6c6b4144-6c6b414b 8084->8090 8085->8088 8086->8074 8087->8086 8091 6c6b40d6-6c6b40f0 8087->8091 8088->8081 8089->8083 8090->8081 8091->8079
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: d1e240c86d914c4f779bfb04d64b1128a0ba33a7bb8a07e7367cc6f4cc580dff
                            • Instruction ID: c2a8865a051573d9316de40a4d3ace8e8336ca571556b045176ff66a7ba17b5a
                            • Opcode Fuzzy Hash: d1e240c86d914c4f779bfb04d64b1128a0ba33a7bb8a07e7367cc6f4cc580dff
                            • Instruction Fuzzy Hash: AE51E131644B018FC3208F28C8807D5B7E3BF91314F698A6DC0EA2BA95DFB5B45ACB55
                            Function 6C6B39CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: ddcc6be33683a0d38132d443663babb1da4de07f9f1d76f03fdea83ecb45be06
                            • Instruction ID: 35d013d84948ad24fbb7a313411d9f05ac4b037caf1154e589d91ae8e2761cf5
                            • Opcode Fuzzy Hash: ddcc6be33683a0d38132d443663babb1da4de07f9f1d76f03fdea83ecb45be06
                            • Instruction Fuzzy Hash: 5F51D231614B018BC320CF28C4807D5B7E3BF95324F698B6DC0E66BA95DFB1B4568B55
                            Function 6C6B3D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6C6B3E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C6B3EAA
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: 84a929df19c427b483271d59a844ef8cf80d545ed3d08baa14a4b932a18eb26c
                            • Instruction ID: d8419e0e92623e4442d64f08f5c2c550320b5d22e80c13c58f4daff8e8787328
                            • Opcode Fuzzy Hash: 84a929df19c427b483271d59a844ef8cf80d545ed3d08baa14a4b932a18eb26c
                            • Instruction Fuzzy Hash: D0314431645B01CFC320CF28C8807D6B7A3AF92314F694E2DC0AA6BA81DFB4701ACB55
                            Function 6C6B3D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6C6B3E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C6B3EAA
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: 3730a98fffbdfeb7d9afab82a5e62d324b00d8c6baec55e880a6dc8d5cfd68b9
                            • Instruction ID: 68c3cf2c2a43d7008d8ab1c2c744edcaae6cf927da637f13757a2019abb3d37b
                            • Opcode Fuzzy Hash: 3730a98fffbdfeb7d9afab82a5e62d324b00d8c6baec55e880a6dc8d5cfd68b9
                            • Instruction Fuzzy Hash: EE31E131214B01CBC724CF28C4907A6B7A6AF56308F694E2DC0EA6BA85DBB1B455CB55
                            Function 6C6B3C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6C6B3E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C6B3EAA
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: 0da6857d719652a7b85d9db7eab9f80b2ab1c70d991a2c8a7cb6a2e9693c98ed
                            • Instruction ID: 020a95cdf56fd716cbcabddf3ff1a107a01a59a164674445713e8850e51dd39d
                            • Opcode Fuzzy Hash: 0da6857d719652a7b85d9db7eab9f80b2ab1c70d991a2c8a7cb6a2e9693c98ed
                            • Instruction Fuzzy Hash: 0121F430618B01CBD734CF64C8907E677B6AF42308F694E2DD0AA6BA81DFB5B425CB55
                            Function 6C835690 Relevance: 3.1, APIs: 2, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C8356A0
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ManagerOpen
                            • String ID:
                            • API String ID: 1889721586-0
                            • Opcode ID: aa30195311514f7eeb8a2bad2a040f8eb5c8cd189ce24d7aeee99da71c528dfc
                            • Instruction ID: 4bae0aa3b0babafea4a6691eeb679e63a32911d96edb99a03ff01da552484e34
                            • Opcode Fuzzy Hash: aa30195311514f7eeb8a2bad2a040f8eb5c8cd189ce24d7aeee99da71c528dfc
                            • Instruction Fuzzy Hash: 65312B74608351EFC720CF68C544A0EBBF0AB89764F509C5AF889C6361D371CC449BA2
                            Function 6C82B430 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileA.KERNEL32(?,?), ref: 6C82B44C
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: FileFindFirst
                            • String ID:
                            • API String ID: 1974802433-0
                            • Opcode ID: d718aa00c307cba342e20211d7c2314b79093e6b213e75a3ae82de2e0290cc87
                            • Instruction ID: 11dedde979ab67687a7a43527b15a79eba7e9baf4f7b4548fee0ae91d7f26358
                            • Opcode Fuzzy Hash: d718aa00c307cba342e20211d7c2314b79093e6b213e75a3ae82de2e0290cc87
                            • Instruction Fuzzy Hash: 7A110D7450A351AFD7208A24D68852F7BE4AF85314F158E59F4AAC7791D334DC848B92
                            Function 6C80AFA0 Relevance: 44.5, APIs: 3, Strings: 22, Instructions: 734fileCOMMON
                            Download Yara Rule
                            APIs
                            • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C80B117
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: FileRead
                            • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                            • API String ID: 2738559852-1563143607
                            • Opcode ID: fea66e63732df5146c8f2d85101e5dd2ce836b24dcea5627fd0c33e70131afcd
                            • Instruction ID: 68a561353991c052f6e9c60ad156aef5bdc679fa4b1a0e7eb8fde53300ff76dc
                            • Opcode Fuzzy Hash: fea66e63732df5146c8f2d85101e5dd2ce836b24dcea5627fd0c33e70131afcd
                            • Instruction Fuzzy Hash: 6262487060D3858FC724CF28C990A6ABBE1AFD9314F248D2EF8A9CB751D735D8458B42
                            Function 6C84D043 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 6824 6c84d043-6c84d053 6825 6c84d055-6c84d068 call 6c83ff4f call 6c83ff3c 6824->6825 6826 6c84d06d-6c84d06f 6824->6826 6840 6c84d3ec 6825->6840 6828 6c84d3d4-6c84d3e1 call 6c83ff4f call 6c83ff3c 6826->6828 6829 6c84d075-6c84d07b 6826->6829 6846 6c84d3e7 call 6c840690 6828->6846 6829->6828 6832 6c84d081-6c84d0a7 6829->6832 6832->6828 6835 6c84d0ad-6c84d0b6 6832->6835 6838 6c84d0d0-6c84d0d2 6835->6838 6839 6c84d0b8-6c84d0cb call 6c83ff4f call 6c83ff3c 6835->6839 6843 6c84d3d0-6c84d3d2 6838->6843 6844 6c84d0d8-6c84d0db 6838->6844 6839->6846 6845 6c84d3ef-6c84d3f2 6840->6845 6843->6845 6844->6843 6848 6c84d0e1-6c84d0e5 6844->6848 6846->6840 6848->6839 6849 6c84d0e7-6c84d0fe 6848->6849 6852 6c84d100-6c84d103 6849->6852 6853 6c84d14f-6c84d155 6849->6853 6855 6c84d105-6c84d10e 6852->6855 6856 6c84d113-6c84d119 6852->6856 6857 6c84d157-6c84d161 6853->6857 6858 6c84d11b-6c84d132 call 6c83ff4f call 6c83ff3c call 6c840690 6853->6858 6859 6c84d1d3-6c84d1e3 6855->6859 6856->6858 6861 6c84d137-6c84d14a 6856->6861 6862 6c84d163-6c84d165 6857->6862 6863 6c84d168-6c84d186 call 6c844d65 call 6c844d2b * 2 6857->6863 6888 6c84d307 6858->6888 6866 6c84d2a8-6c84d2b1 call 6c851f55 6859->6866 6867 6c84d1e9-6c84d1f5 6859->6867 6861->6859 6862->6863 6894 6c84d1a3-6c84d1cc call 6c84b1d9 6863->6894 6895 6c84d188-6c84d19e call 6c83ff3c call 6c83ff4f 6863->6895 6879 6c84d324 6866->6879 6880 6c84d2b3-6c84d2c5 6866->6880 6867->6866 6869 6c84d1fb-6c84d1fd 6867->6869 6869->6866 6872 6c84d203-6c84d227 6869->6872 6872->6866 6877 6c84d229-6c84d23f 6872->6877 6877->6866 6881 6c84d241-6c84d243 6877->6881 6883 6c84d328-6c84d340 ReadFile 6879->6883 6880->6879 6885 6c84d2c7-6c84d2d6 GetConsoleMode 6880->6885 6881->6866 6887 6c84d245-6c84d26b 6881->6887 6889 6c84d342-6c84d348 6883->6889 6890 6c84d39c-6c84d3a7 GetLastError 6883->6890 6885->6879 6891 6c84d2d8-6c84d2dc 6885->6891 6887->6866 6892 6c84d26d-6c84d283 6887->6892 6893 6c84d30a-6c84d314 call 6c844d2b 6888->6893 6889->6890 6896 6c84d34a 6889->6896 6897 6c84d3c0-6c84d3c3 6890->6897 6898 6c84d3a9-6c84d3bb call 6c83ff3c call 6c83ff4f 6890->6898 6891->6883 6899 6c84d2de-6c84d2f8 ReadConsoleW 6891->6899 6892->6866 6904 6c84d285-6c84d287 6892->6904 6893->6845 6894->6859 6895->6888 6907 6c84d34d-6c84d35f 6896->6907 6900 6c84d300-6c84d306 call 6c83ff62 6897->6900 6901 6c84d3c9-6c84d3cb 6897->6901 6898->6888 6908 6c84d319-6c84d322 6899->6908 6909 6c84d2fa GetLastError 6899->6909 6900->6888 6901->6893 6904->6866 6911 6c84d289-6c84d2a3 6904->6911 6907->6893 6915 6c84d361-6c84d365 6907->6915 6908->6907 6909->6900 6911->6866 6920 6c84d367-6c84d377 call 6c84d46e 6915->6920 6921 6c84d37e-6c84d389 6915->6921 6930 6c84d37a-6c84d37c 6920->6930 6922 6c84d395-6c84d39a call 6c84d726 6921->6922 6923 6c84d38b call 6c84d3f3 6921->6923 6931 6c84d390-6c84d393 6922->6931 6923->6931 6930->6893 6931->6930
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8Q
                            • API String ID: 0-4022487301
                            • Opcode ID: 59f5a07f818ece9e8d0798ccbe078ff37db9352229b3dec7abbb93d4d92964a1
                            • Instruction ID: 847e5d3eb79426271ffb42dd347ba4dd04df357006a59e59b38685b7b0c8f758
                            • Opcode Fuzzy Hash: 59f5a07f818ece9e8d0798ccbe078ff37db9352229b3dec7abbb93d4d92964a1
                            • Instruction Fuzzy Hash: 6BC1DC70E0424DDFDF21CF9DC980BADBBB1AF4A318F50895AE814ABB81D7749945CB60
                            Function 6C8545DC Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 6933 6c8545dc-6c85460c call 6c854a5c 6936 6c854627-6c854633 call 6c851b7c 6933->6936 6937 6c85460e-6c854619 call 6c83ff4f 6933->6937 6942 6c854635-6c85464a call 6c83ff4f call 6c83ff3c 6936->6942 6943 6c85464c-6c854695 call 6c8549c7 6936->6943 6944 6c85461b-6c854622 call 6c83ff3c 6937->6944 6942->6944 6953 6c854697-6c8546a0 6943->6953 6954 6c854702-6c85470b GetFileType 6943->6954 6951 6c854901-6c854905 6944->6951 6958 6c8546d7-6c8546fd GetLastError call 6c83ff62 6953->6958 6959 6c8546a2-6c8546a6 6953->6959 6955 6c854754-6c854757 6954->6955 6956 6c85470d-6c85473e GetLastError call 6c83ff62 CloseHandle 6954->6956 6962 6c854760-6c854766 6955->6962 6963 6c854759-6c85475e 6955->6963 6956->6944 6972 6c854744-6c85474f call 6c83ff3c 6956->6972 6958->6944 6959->6958 6964 6c8546a8-6c8546d5 call 6c8549c7 6959->6964 6968 6c85476a-6c8547b8 call 6c851d20 6962->6968 6969 6c854768 6962->6969 6963->6968 6964->6954 6964->6958 6975 6c8547d7-6c8547ff call 6c854c80 6968->6975 6976 6c8547ba-6c8547c6 call 6c854bd6 6968->6976 6969->6968 6972->6944 6983 6c854804-6c854845 6975->6983 6984 6c854801-6c854802 6975->6984 6976->6975 6982 6c8547c8 6976->6982 6985 6c8547ca-6c8547d2 call 6c84be95 6982->6985 6986 6c854847-6c85484b 6983->6986 6987 6c854866-6c854874 6983->6987 6984->6985 6985->6951 6986->6987 6988 6c85484d-6c854861 6986->6988 6989 6c8548ff 6987->6989 6990 6c85487a-6c85487e 6987->6990 6988->6987 6989->6951 6990->6989 6992 6c854880-6c8548b3 CloseHandle call 6c8549c7 6990->6992 6996 6c8548b5-6c8548e1 GetLastError call 6c83ff62 call 6c851c8f 6992->6996 6997 6c8548e7-6c8548fb 6992->6997 6996->6997 6997->6989
                            APIs
                              • Part of subcall function 6C8549C7: CreateFileW.KERNEL32(00000000,00000000,?,6C854685,?,?,00000000,?,6C854685,00000000,0000000C), ref: 6C8549E4
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8546F0
                            • __dosmaperr.LIBCMT ref: 6C8546F7
                            • GetFileType.KERNEL32(00000000), ref: 6C854703
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C85470D
                            • __dosmaperr.LIBCMT ref: 6C854716
                            • CloseHandle.KERNEL32(00000000), ref: 6C854736
                            • CloseHandle.KERNEL32(6C84B640), ref: 6C854883
                            • GetLastError.KERNEL32 ref: 6C8548B5
                            • __dosmaperr.LIBCMT ref: 6C8548BC
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                            • String ID: 8Q
                            • API String ID: 4237864984-4022487301
                            • Opcode ID: 9ea22f85e31e1d8b442eb311dcdde6041089d5aa70eb0bd7d2e7bbca5c6c1358
                            • Instruction ID: 83d8fa973fb70ce69e6183bf57a1577ca33bbb145c2a3f895e54e9f04a7f10b9
                            • Opcode Fuzzy Hash: 9ea22f85e31e1d8b442eb311dcdde6041089d5aa70eb0bd7d2e7bbca5c6c1358
                            • Instruction Fuzzy Hash: ACA13732A141588FCF29CF68C9517ED3BB1ABC7328F540599E815AF790CB758836CB91
                            Function 6C80C750 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 183COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7002 6c80c750-6c80c7a9 call 6c8370e0 7005 6c80c7d0-6c80c7d9 7002->7005 7006 6c80c820-6c80c825 7005->7006 7007 6c80c7db-6c80c7e0 7005->7007 7008 6c80c8a0-6c80c8a5 7006->7008 7009 6c80c827-6c80c82c 7006->7009 7010 6c80c860-6c80c865 7007->7010 7011 6c80c7e2-6c80c7e7 7007->7011 7018 6c80c9f9-6c80ca29 call 6c83b910 7008->7018 7019 6c80c8ab-6c80c8b0 7008->7019 7014 6c80c832-6c80c837 7009->7014 7015 6c80c977-6c80c98b 7009->7015 7016 6c80c9a1-6c80c9b8 WriteFile 7010->7016 7017 6c80c86b-6c80c870 7010->7017 7012 6c80c8e2-6c80c94f WriteFile 7011->7012 7013 6c80c7ed-6c80c7f2 7011->7013 7021 6c80c959-6c80c96d WriteFile 7012->7021 7020 6c80c7f8-6c80c7fd 7013->7020 7013->7021 7023 6c80c7ab-6c80c7c0 7014->7023 7024 6c80c83d-6c80c842 7014->7024 7022 6c80c98f-6c80c99c 7015->7022 7025 6c80c9c2-6c80c9ef call 6c83be90 ReadFile 7016->7025 7017->7025 7026 6c80c876-6c80c87b 7017->7026 7018->7005 7028 6c80c8b6-6c80c8dd 7019->7028 7029 6c80ca2e-6c80ca33 7019->7029 7020->7005 7030 6c80c7ff-6c80c81a 7020->7030 7021->7015 7022->7005 7034 6c80c7c3-6c80c7c8 7023->7034 7024->7005 7031 6c80c844-6c80c857 7024->7031 7025->7018 7026->7005 7033 6c80c881-6c80c89b 7026->7033 7028->7034 7029->7005 7036 6c80ca39-6c80ca47 7029->7036 7030->7034 7031->7034 7033->7022 7034->7005
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: :uW$;uW$;uW$> 4!$> 4!
                            • API String ID: 0-4100612575
                            • Opcode ID: 839920d8ff6d10c09ce20fc6a6477c87e276b155ce4ee3978e303fbda0496e2f
                            • Instruction ID: f477cad891cacfb76fff99e89966805349aec5f02821ab1fcbd1083d60465cd3
                            • Opcode Fuzzy Hash: 839920d8ff6d10c09ce20fc6a6477c87e276b155ce4ee3978e303fbda0496e2f
                            • Instruction Fuzzy Hash: 61715DB0208345AFD720DF19C980B9ABBF5BF8A709F104D2EF498D6652D771D8488B93
                            Function 6C80BCA0 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 605COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: K?Jo$K?Jo$`Rlx$7eO
                            • API String ID: 0-174837320
                            • Opcode ID: 1666721ea44b4b2c843a012c1c9dc5e02601fc424c2b07765acc95574bd0adef
                            • Instruction ID: d0ad46009d23e83c7a08db3886596e16dea769edca7c2db7f10cb32bfcd2325e
                            • Opcode Fuzzy Hash: 1666721ea44b4b2c843a012c1c9dc5e02601fc424c2b07765acc95574bd0adef
                            • Instruction Fuzzy Hash: 7D4297746093469FC724DF18C98062ABBE1AFD9319F208D6EE9A587B21C738D845CB53
                            Function 6C6B4200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: ;T55
                            • API String ID: 0-2572755013
                            • Opcode ID: 85fc7ca82e4a0a336959cb18b5118f5c9dd52b842a40ffc4ba9c9fab95ab2fb5
                            • Instruction ID: 5b6af9826826dbbe54b77e63b9efb000e6b37d0ee70650640793db19d19353e5
                            • Opcode Fuzzy Hash: 85fc7ca82e4a0a336959cb18b5118f5c9dd52b842a40ffc4ba9c9fab95ab2fb5
                            • Instruction Fuzzy Hash: FB03E331745B018FC728CF28C8D0696B7E3EFD53287198B2DC0A64BA95DB74B44ACB55
                            Function 6C835560 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7579 6c835560-6c8355e7 CreateProcessA 7580 6c83563a-6c835643 7579->7580 7581 6c835660-6c83567b 7580->7581 7582 6c835645-6c83564a 7580->7582 7581->7580 7583 6c8355f0-6c835632 WaitForSingleObject CloseHandle * 2 7582->7583 7584 6c83564c-6c835651 7582->7584 7583->7580 7584->7580 7585 6c835653-6c835688 7584->7585
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID: D
                            • API String ID: 963392458-2746444292
                            • Opcode ID: f74856ce1686b79cc29d3b3b7c35892bedf667dabe5d50a69e1634b8b4c179cf
                            • Instruction ID: 9af2a4874f99be564eb0b813f061538b5e3ea714718d283be71ab92943b3e596
                            • Opcode Fuzzy Hash: f74856ce1686b79cc29d3b3b7c35892bedf667dabe5d50a69e1634b8b4c179cf
                            • Instruction Fuzzy Hash: 743103B09093408FD710DF28D19871ABBF0AB8A318F516E1DF8D986260E775D988CF43
                            Function 6C84C1CE Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7587 6c84c1ce-6c84c1ea 7588 6c84c1f0-6c84c1f2 7587->7588 7589 6c84c3a9 7587->7589 7590 6c84c214-6c84c235 7588->7590 7591 6c84c1f4-6c84c207 call 6c83ff4f call 6c83ff3c call 6c840690 7588->7591 7592 6c84c3ab-6c84c3af 7589->7592 7594 6c84c237-6c84c23a 7590->7594 7595 6c84c23c-6c84c242 7590->7595 7609 6c84c20c-6c84c20f 7591->7609 7594->7595 7597 6c84c244-6c84c249 7594->7597 7595->7591 7595->7597 7599 6c84c25a-6c84c26b call 6c84c3b0 7597->7599 7600 6c84c24b-6c84c257 call 6c84b1d9 7597->7600 7607 6c84c2ac-6c84c2be 7599->7607 7608 6c84c26d-6c84c26f 7599->7608 7600->7599 7612 6c84c305-6c84c327 WriteFile 7607->7612 7613 6c84c2c0-6c84c2c9 7607->7613 7610 6c84c296-6c84c2a2 call 6c84c421 7608->7610 7611 6c84c271-6c84c279 7608->7611 7609->7592 7625 6c84c2a7-6c84c2aa 7610->7625 7614 6c84c27f-6c84c28c call 6c84c7cb 7611->7614 7615 6c84c33b-6c84c33e 7611->7615 7617 6c84c332 7612->7617 7618 6c84c329-6c84c32f GetLastError 7612->7618 7619 6c84c2f5-6c84c303 call 6c84c833 7613->7619 7620 6c84c2cb-6c84c2ce 7613->7620 7634 6c84c28f-6c84c291 7614->7634 7627 6c84c341-6c84c346 7615->7627 7626 6c84c335-6c84c33a 7617->7626 7618->7617 7619->7625 7621 6c84c2e5-6c84c2f3 call 6c84c9f7 7620->7621 7622 6c84c2d0-6c84c2d3 7620->7622 7621->7625 7622->7627 7630 6c84c2d5-6c84c2e3 call 6c84c90e 7622->7630 7625->7634 7626->7615 7628 6c84c3a4-6c84c3a7 7627->7628 7629 6c84c348-6c84c34d 7627->7629 7628->7592 7635 6c84c34f-6c84c354 7629->7635 7636 6c84c379-6c84c385 7629->7636 7630->7625 7634->7626 7639 6c84c356-6c84c368 call 6c83ff3c call 6c83ff4f 7635->7639 7640 6c84c36d-6c84c374 call 6c83ff62 7635->7640 7642 6c84c387-6c84c38a 7636->7642 7643 6c84c38c-6c84c39f call 6c83ff3c call 6c83ff4f 7636->7643 7639->7609 7640->7609 7642->7589 7642->7643 7643->7609
                            APIs
                              • Part of subcall function 6C84C421: GetConsoleCP.KERNEL32(?,6C84B640,?), ref: 6C84C469
                            • WriteFile.KERNEL32(?,?,6C854C5C,00000000,00000000,?,00000000,00000000,6C856026,00000000,00000000,?,00000000,6C84B640,6C854C5C,00000000), ref: 6C84C31F
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C854C5C,6C84B640,00000000,?,?,?,?,00000000,?), ref: 6C84C329
                            • __dosmaperr.LIBCMT ref: 6C84C36E
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ConsoleErrorFileLastWrite__dosmaperr
                            • String ID: 8Q
                            • API String ID: 251514795-4022487301
                            • Opcode ID: fe6eb1955c71faedb0f20be8b13e51b5c85a18bc2453f3aafb1f059ae0898bb4
                            • Instruction ID: 2538764d0bcc4aa2ba5223fb2788f113078a015695d9c6d6db30eebd1f8882c8
                            • Opcode Fuzzy Hash: fe6eb1955c71faedb0f20be8b13e51b5c85a18bc2453f3aafb1f059ae0898bb4
                            • Instruction Fuzzy Hash: 7651E871A0521DAFDB20EFE8CE40BEE7BBDFF46358F104865E404A7A52D771990987A0
                            Function 6C836100 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7654 6c836100-6c83610c 7655 6c83610e-6c836119 7654->7655 7656 6c83614d 7654->7656 7657 6c83611b-6c83612d 7655->7657 7658 6c83612f-6c83613c call 6c7001f0 call 6c841088 7655->7658 7659 6c83614f-6c8361c7 7656->7659 7657->7658 7667 6c836141-6c83614b 7658->7667 7661 6c8361f3-6c8361f9 7659->7661 7662 6c8361c9-6c8361f1 7659->7662 7662->7661 7664 6c8361fa-6c8362b9 call 6c702250 call 6c702340 call 6c8398e9 call 6c6fe010 call 6c8375f8 7662->7664 7667->7659
                            APIs
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C8362A1
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Ios_base_dtorstd::ios_base::_
                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                            • API String ID: 323602529-1866435925
                            • Opcode ID: 4b04bf1d98c65d5ee57477b5a7797a9547368e370c3bc11ae7da229f1a13245c
                            • Instruction ID: 97df0da0a203f6119520f17f1602fbc1e6ace88ab09c201ee19780a60c271173
                            • Opcode Fuzzy Hash: 4b04bf1d98c65d5ee57477b5a7797a9547368e370c3bc11ae7da229f1a13245c
                            • Instruction Fuzzy Hash: E35144B1900B008FD725CF29C685796BBF1BB48318F408E2DD88A4BB91D775B909CB90
                            Function 6C84BE95 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7699 6c84be95-6c84bea9 call 6c851b12 7702 6c84beaf-6c84beb7 7699->7702 7703 6c84beab-6c84bead 7699->7703 7705 6c84bec2-6c84bec5 7702->7705 7706 6c84beb9-6c84bec0 7702->7706 7704 6c84befd-6c84bf1d call 6c851c8f 7703->7704 7715 6c84bf1f-6c84bf29 call 6c83ff62 7704->7715 7716 6c84bf2b 7704->7716 7709 6c84bec7-6c84becb 7705->7709 7710 6c84bee3-6c84bef3 call 6c851b12 CloseHandle 7705->7710 7706->7705 7708 6c84becd-6c84bee1 call 6c851b12 * 2 7706->7708 7708->7703 7708->7710 7709->7708 7709->7710 7710->7703 7718 6c84bef5-6c84befb GetLastError 7710->7718 7720 6c84bf2d-6c84bf30 7715->7720 7716->7720 7718->7704
                            APIs
                            • CloseHandle.KERNEL32(00000000,?,00000000,?,6C8547CF), ref: 6C84BEEB
                            • GetLastError.KERNEL32(?,00000000,?,6C8547CF), ref: 6C84BEF5
                            • __dosmaperr.LIBCMT ref: 6C84BF20
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CloseErrorHandleLast__dosmaperr
                            • String ID:
                            • API String ID: 2583163307-0
                            • Opcode ID: d07299c65b307e3d0093d7b6ebf09a71a67414fe6c2be58fa4ba02ec57d61355
                            • Instruction ID: 21f08f35396b78d1a9c2dad45530ab60a402c97108d5555012276def93c603ad
                            • Opcode Fuzzy Hash: d07299c65b307e3d0093d7b6ebf09a71a67414fe6c2be58fa4ba02ec57d61355
                            • Instruction Fuzzy Hash: 0D018C3370891826C6304A7DD700FBD776C4BC777CF368E68E9188BAC1DB65C8448190
                            Function 6C84110C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7944 6c84110c-6c841117 7945 6c84112e-6c84113b 7944->7945 7946 6c841119-6c84112c call 6c83ff3c call 6c840690 7944->7946 7947 6c841176-6c84117f call 6c84b3e5 7945->7947 7948 6c84113d-6c841152 call 6c841229 call 6c848cae call 6c84a1d0 call 6c84be08 7945->7948 7956 6c841180-6c841182 7946->7956 7947->7956 7963 6c841157-6c84115c 7948->7963 7964 6c841163-6c841167 7963->7964 7965 6c84115e-6c841161 7963->7965 7964->7947 7966 6c841169-6c841175 call 6c844d2b 7964->7966 7965->7947 7966->7947
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8Q
                            • API String ID: 0-4022487301
                            • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                            • Instruction ID: be2bb71c01bddc3d48b5fe4b84f6eeb4cabccacd7538db06cc1524b84409ef3d
                            • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                            • Instruction Fuzzy Hash: A4F08B3250161C96D6311B7D9F007DA32A85F82379F11DF25E43492FD0DB74D416C5D1
                            Function 6C835ED0 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                            Download Yara Rule
                            APIs
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C836024
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C836064
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Ios_base_dtorstd::ios_base::_
                            • String ID:
                            • API String ID: 323602529-0
                            • Opcode ID: b73eaf31b043b56607cc54328498726afc257586534b5b46c39b087462df3b87
                            • Instruction ID: 4f731fdea1a79559c4c2463e2c4b8b3ee93bab709ef2b78a34e35a5ec61ec9f9
                            • Opcode Fuzzy Hash: b73eaf31b043b56607cc54328498726afc257586534b5b46c39b087462df3b87
                            • Instruction Fuzzy Hash: 4A513571101B00DBD735CF28CA84BD6BBE4BB05718F449A1CE4AA8BA91DB70B549CB81
                            Function 6C83F4AF Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(6C866DF0,0000000C), ref: 6C83F4C2
                            • ExitThread.KERNEL32 ref: 6C83F4C9
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ErrorExitLastThread
                            • String ID:
                            • API String ID: 1611280651-0
                            • Opcode ID: 1f2e0d0385b92b8ca79057aee1886f68d21d76575bbe310e09661618d45f986a
                            • Instruction ID: f0a372e07eda5dfddb5dcd15e344ec95af170da0a534c25050b23760d0b97657
                            • Opcode Fuzzy Hash: 1f2e0d0385b92b8ca79057aee1886f68d21d76575bbe310e09661618d45f986a
                            • Instruction Fuzzy Hash: ADF0AF71A00218AFDB209FB5C609AAE3B74FF81318F259979F00A9BB51CF355905DBE1
                            Function 6C84B4E2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: __wsopen_s
                            • String ID:
                            • API String ID: 3347428461-0
                            • Opcode ID: 5e5ffb686ede14c474e92cb2e97ae49ec88d308f927f9c7c741fba6268aad106
                            • Instruction ID: bcc67ca77d551c9a7f772486656ca64a65b32cfe4513b1607fc99f4027b8ec2b
                            • Opcode Fuzzy Hash: 5e5ffb686ede14c474e92cb2e97ae49ec88d308f927f9c7c741fba6268aad106
                            • Instruction Fuzzy Hash: CD112871A0420EABCF15CF59E94099F7BF8EB48308B154469F809AB341E671ED21CBA4
                            Function 6C85456E Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                            • Instruction ID: 4fd2d5024d3cfb75f0c0b1786eb7089750e6a96f0d05109b154fcf3932cd00d9
                            • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                            • Instruction Fuzzy Hash: AA014F72C0115DAFCF519FE88D00AEE7FB5BF88214F144965FA24E2290E7718A34DB91
                            Function 6C8549C7 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,00000000,?,6C854685,?,?,00000000,?,6C854685,00000000,0000000C), ref: 6C8549E4
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: fe94b46e08e56cf45106c5020f16dba140f3facfe50eab40ba780c9d7accb84e
                            • Instruction ID: d84ff90197fe17ac3311196d89fd7fad890982c9a58961530f789427674c9340
                            • Opcode Fuzzy Hash: fe94b46e08e56cf45106c5020f16dba140f3facfe50eab40ba780c9d7accb84e
                            • Instruction Fuzzy Hash: A2D06C3210010DBBDF128E85DC06EDA3BAAFB88714F024010BA5856020C732E861EB90
                            Function 6C707CB0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                            • Instruction ID: 3927051f5e0ae294cd6021c592f6263a4fc91d284c38253be81fa7d130ab700e
                            • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                            • Instruction Fuzzy Hash:

                            Non-executed Functions

                            Function 6C831DF0 Relevance: 10.5, APIs: 3, Strings: 1, Instructions: 3538COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: g)''
                            • API String ID: 4218353326-3487984327
                            • Opcode ID: 94afdba566e6ad1ce31fea908912050bef3b280d4b24808eef31de4e1056172c
                            • Instruction ID: 7d90d988ca1c028377e8a3bb36ed31d6dd6f60d65f9f613e41c43669aa1559db
                            • Opcode Fuzzy Hash: 94afdba566e6ad1ce31fea908912050bef3b280d4b24808eef31de4e1056172c
                            • Instruction Fuzzy Hash: 24632331644B118FC738CF68C9D0A95B7F3AFC53187199E2DC09A4BA56E779B44ACB80
                            Function 6C8362D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 6C8362DA
                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C8362E6
                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C8362F4
                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C83631B
                            • NtInitiatePowerAction.NTDLL ref: 6C83632F
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                            • String ID: SeShutdownPrivilege
                            • API String ID: 3256374457-3733053543
                            • Opcode ID: 513ac0990f55d9bf80e74aca379166b66bf616ade0fed0ffa731b648e8a90f39
                            • Instruction ID: 6ae96febad19ca0d36eefb0fcd7022245cca00558543c7d0c315284822d11c4f
                            • Opcode Fuzzy Hash: 513ac0990f55d9bf80e74aca379166b66bf616ade0fed0ffa731b648e8a90f39
                            • Instruction Fuzzy Hash: E3F09074648300BBEB206F24CD0EB5A7FF4EB45705F124918F989A6181E7B1A884CFA2
                            Function 6C6B1950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: \j`7$\j`7$j
                            • API String ID: 0-3644614255
                            • Opcode ID: e5a7c7bd470d2b8e1d506016275ae825fc9cf00f139e7094c503dd34601f5691
                            • Instruction ID: ff8e0fd4061aa1f04694fb2b5bd491fc981fc33467972bda7e283a7ae398d9ae
                            • Opcode Fuzzy Hash: e5a7c7bd470d2b8e1d506016275ae825fc9cf00f139e7094c503dd34601f5691
                            • Instruction Fuzzy Hash: F34254706093829FCB24CF28C48165ABBE1BBC9354F244A2EE4D9E7760D334D959CB57
                            Function 6C8BAEEF Relevance: 8.3, APIs: 1, Strings: 2, Instructions: 3058COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C8BAEF4
                              • Part of subcall function 6C8BE622: __EH_prolog.LIBCMT ref: 6C8BE627
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $h%K
                            • API String ID: 3519838083-1737110039
                            • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                            • Instruction ID: 539ef4cb4cee818ec4bf9cea74b2cb799f70a74c15084bdaa3c128397b7ad950
                            • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                            • Instruction Fuzzy Hash: 38539D30901258DFDB25CBA8CA94BEDBBB4AF15308F1448E9D449B7791DB30AE89CF50
                            Function 6C896CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C896CE5
                              • Part of subcall function 6C86CC2A: __EH_prolog.LIBCMT ref: 6C86CC2F
                              • Part of subcall function 6C86E6A6: __EH_prolog.LIBCMT ref: 6C86E6AB
                              • Part of subcall function 6C896A0E: __EH_prolog.LIBCMT ref: 6C896A13
                              • Part of subcall function 6C896837: __EH_prolog.LIBCMT ref: 6C89683C
                              • Part of subcall function 6C89A143: __EH_prolog.LIBCMT ref: 6C89A148
                              • Part of subcall function 6C89A143: ctype.LIBCPMT ref: 6C89A16C
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog$ctype
                            • String ID:
                            • API String ID: 1039218491-3916222277
                            • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                            • Instruction ID: 1c4a73e54a5e56093ff76e401bf4481f61b03254d29f0f382eb94a32810429c7
                            • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                            • Instruction Fuzzy Hash: DC03CF30805259DFDF25CFACCA84BDCBBB0AF15308F2448AAD44567B91DB346B89DB61
                            Function 6C8C0A52 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1212COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: W
                            • API String ID: 3519838083-655174618
                            • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                            • Instruction ID: 77d2b0739873729b00cc1ea8139b2a8188ea9cca1e2db47ff5d165b4554e1ca8
                            • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                            • Instruction Fuzzy Hash: 1AB29D74A01259DFDB20CFA8C684B9DBBB4BF09308F244899E845EB781C775ED41CB62
                            Function 6C8406F1 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6C8407E9
                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6C8407F3
                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6C840800
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                            • String ID:
                            • API String ID: 3906539128-0
                            • Opcode ID: 3a1ecfa2a6bedaa2500a91d4f04d21551bb2a289879aecc6aa87277942f94228
                            • Instruction ID: cd6b76fd14d5e9a7d3dd92862826b10d23d3a8d1b5efd642d6d8b4264dec75dc
                            • Opcode Fuzzy Hash: 3a1ecfa2a6bedaa2500a91d4f04d21551bb2a289879aecc6aa87277942f94228
                            • Instruction Fuzzy Hash: BA31F67090122C9BCB21DF68D9887CDBBB4BF08314F5055EAE41CA7250EB349B858F84
                            Function 6C83F6ED Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,?,6C83F7A5,6C83A1B9,00000003,00000000,6C83A1B9,00000000), ref: 6C83F70F
                            • TerminateProcess.KERNEL32(00000000,?,6C83F7A5,6C83A1B9,00000003,00000000,6C83A1B9,00000000), ref: 6C83F716
                            • ExitProcess.KERNEL32 ref: 6C83F728
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Process$CurrentExitTerminate
                            • String ID:
                            • API String ID: 1703294689-0
                            • Opcode ID: a96e7ae03f6a45875b605f26cac2d0672b4c585e659013f44bd88f7c14d29035
                            • Instruction ID: c848600371aa073c7f731fb3d110a2ef17c7f2973e0c98e31f02776344ca4d49
                            • Opcode Fuzzy Hash: a96e7ae03f6a45875b605f26cac2d0672b4c585e659013f44bd88f7c14d29035
                            • Instruction Fuzzy Hash: 81E04F31100158EFCF21AB95CE58A9D3B78FFD6249B016824F409C6621CB35D881CAC0
                            Function 6C8C1F11 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 511COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-3916222277
                            • Opcode ID: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                            • Instruction ID: 31d4fd0cb4eb48d239897ac7182fe4826720d9135a191ed6a9631ebeb1d6f723
                            • Opcode Fuzzy Hash: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                            • Instruction Fuzzy Hash: 83225A70A002099FDB24CFA8C594B9EBBF0BF48318F10896DE8599B791D778E945CF91
                            Function 6C8B4896 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 333COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C8B489B
                              • Part of subcall function 6C8B5FC9: __EH_prolog.LIBCMT ref: 6C8B5FCE
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @ K
                            • API String ID: 3519838083-4216449128
                            • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                            • Instruction ID: b309a7688b67202a79cda5884d626d852d6b256c36d986b98f1a1e937f0ccf67
                            • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                            • Instruction Fuzzy Hash: F6D1E031D002149BDB34CFA8C69279EB7B6FFC4318F25882AE555BBB84CB70A845CB15
                            Function 6C868EA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: x=J
                            • API String ID: 3519838083-1497497802
                            • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                            • Instruction ID: 36e74f52fd5484f2e8c9d8d0282d7cad6a3aaf70279c549d3d6550d93d9fd843
                            • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                            • Instruction Fuzzy Hash: C891F431D01109DBCF24DFAADA90AEDB7B1BF16308F20886ED46567E90DB365989CB50
                            Function 6C836FB3 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C837E20
                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C838643
                              • Part of subcall function 6C8398E9: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C83862C,00000000,?,?,?,6C83862C,?,6C86555C), ref: 6C839949
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                            • String ID:
                            • API String ID: 915016180-0
                            • Opcode ID: acb1b5d38c46012f2d66f2daeb84499f13e62e65bd6295013cd7bff8d5106144
                            • Instruction ID: b6f032ebf7a28e8992f3bddf5234145282166f2e0964b8d4f4c3f95396a0fe88
                            • Opcode Fuzzy Hash: acb1b5d38c46012f2d66f2daeb84499f13e62e65bd6295013cd7bff8d5106144
                            • Instruction Fuzzy Hash: 5BB1D071E082159BCF25CFA8C98569DBBF4FB49318F20A92BD819E7680D334A945CFD0
                            Function 6C868972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: @4J$DsL
                            • API String ID: 0-2004129199
                            • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                            • Instruction ID: 78544161cda98013de1bc4771a7733c2ede53a9e2c8cff1c600e6cd64610c9ca
                            • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                            • Instruction Fuzzy Hash: D92191377A49564BD74CCA28DC33EB92681E744305B88527EE94BCB7D1DF5C8800C64C
                            Function 6C88540A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C88540F
                              • Part of subcall function 6C886137: __EH_prolog.LIBCMT ref: 6C88613C
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                            • Instruction ID: 05582ca47c639333a04a074afe9c1619a258874c94922a83951a6460da000e31
                            • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                            • Instruction Fuzzy Hash: 68626D71902359CFEF25CF98C690BDEBBB1BF04308F14496AE816A7A81D7749A44CF91
                            Function 6C8DDAD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: YA1
                            • API String ID: 0-613462611
                            • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                            • Instruction ID: b310d5878e46147d60d389263dd95ed5d00fd3c564ce634c174fee08122069ff
                            • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                            • Instruction Fuzzy Hash: 0942B4716093818FC325CF28C59069AFBE2BFD9308F164D6EE4D58B742D671E906CB92
                            Function 6C8B7D43 Relevance: 1.8, APIs: 1, Instructions: 346COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                            • Instruction ID: 7f0f12fb6e62950b3ff4ae2c53a0e3436b93bb1062a69d8fa79ea7b70e378efb
                            • Opcode Fuzzy Hash: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                            • Instruction Fuzzy Hash: 2BF15D7090464ADFCB64CFA8C690BDDBBB1BF04308F14896ED419ABB52D770AA59CF50
                            Function 6C870BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: __aullrem
                            • String ID:
                            • API String ID: 3758378126-0
                            • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                            • Instruction ID: b4c071654a9587a0d34315c03784424b71c4ed5c360126df29833bb3a015e31d
                            • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                            • Instruction Fuzzy Hash: ED51D871A093859BD720CF5AC4C02EDFFE6AF79214F14C45EE8C897242E27A599AC760
                            Function 6C8E9E80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-3916222277
                            • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                            • Instruction ID: 2ccf66366b0688b53f2ea184341ad8d858a8c3ef3f75084ff5f52f86942cb3ec
                            • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                            • Instruction Fuzzy Hash: 8C0297316083808BD325CF28C6907DEBBF2ABCAB08F144E2DE49597B51D7759949CB92
                            Function 6C86C7CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: (SL
                            • API String ID: 0-669240678
                            • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                            • Instruction ID: 49bed549d73f35da184609b5df90ebce8d2e292930361540f6b506890781c8e9
                            • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                            • Instruction Fuzzy Hash: A6518473E208214AD78CCE24DC2177572D2E784310F8BC1B99D8BAB6E6DD78A895C7D4
                            Function 6C8DAB90 Relevance: .9, Instructions: 940COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                            • Instruction ID: de640847cd6f8c91cafa705f7e7fab82569d99510a5c1f4f87772e16325ec2de
                            • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                            • Instruction Fuzzy Hash: A1728EB16042178FD758CF18C5902A8FBE1FF88314B5A4AADD85ADB742DB70E895CBC0
                            Function 6C8E0020 Relevance: .8, Instructions: 762COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                            • Instruction ID: 80a96ba7224a7cab52cbdbb9ee5d9458ce8f0174197f2740d0e661d35c94283b
                            • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                            • Instruction Fuzzy Hash: 3A525F31608B858BD329CF29C69066AB7E2BF9A308F144E2DD4DAC7B41DB74F845DB41
                            Function 6C8FA930 Relevance: .7, Instructions: 740COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                            • Instruction ID: e5035de44d84a67bda72979111549e8f75a14931df67544b50007a1d55202762
                            • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                            • Instruction Fuzzy Hash: 2F62F4B5A083458FC724CF19C68055ABBF5BFC8794F248E2EE8A987714D770E846CB52
                            Function 6C8E3D50 Relevance: .5, Instructions: 547COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                            • Instruction ID: 44b2e8440d99b6f4aeacb024defcc3c7ed6ecd569d06a8b743f62715a9f0ecb1
                            • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                            • Instruction Fuzzy Hash: 4512BD712097418BC728CF68C6D066ABBE2BFCA304F644D2DE99A87B51D731E849CB51
                            Function 6C8F4AA0 Relevance: .5, Instructions: 474COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                            • Instruction ID: 42dc3e6225329f1a57c13c62f2e41f4ba09397a369919fb80fd2b48c8c52520d
                            • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                            • Instruction Fuzzy Hash: 58020B32A083118BD329CE28C6D0259BBF2FBC4395F154F3FE4A697A54D7749846CB92
                            Function 6C8DFA50 Relevance: .5, Instructions: 453COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                            • Instruction ID: 195611ca33c0c5a444fd72ac355039924e0e8031d51e8e4fada3effef41a0a90
                            • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                            • Instruction Fuzzy Hash: 8FF123326042888BEB34CE28D8507EEB7E2FBC5304F59493DD889CBB41DB35A54AD781
                            Function 6C8E6D10 Relevance: .4, Instructions: 429COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                            • Instruction ID: cdc66d3c6a6189b08d11ef8c443e5c2b43e29ad01a3a80a5faa1f9e107d19676
                            • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                            • Instruction Fuzzy Hash: 27E1CF71704B058BD724CE28D5A03AAB7E2EBCA314F544D3DC696C7B81DB75E50ACB81
                            Function 6C8E6900 Relevance: .3, Instructions: 341COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                            • Instruction ID: 1d70ff98cc4965d5bea9c3f9a4969b59eecf6e702f020785d914995589f70dec
                            • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                            • Instruction Fuzzy Hash: 75C1D371604B0A8BE338CF29C5906AAB7E2FBD9314F558E3DC296C7B45D630B495CB80
                            Function 6C8E2580 Relevance: .3, Instructions: 316COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                            • Instruction ID: 79b42a396040d3b23664d821292d71d0ebc4906acd56491b51cc2680bb920106
                            • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                            • Instruction Fuzzy Hash: 49C1E2352047428BC728CF3AD1A4696BBE2EFDE314F148A6DC4CA4BB55DA34A80DCB55
                            Function 6C8EE4D0 Relevance: .3, Instructions: 307COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                            • Instruction ID: 5ecb708847bac9d2fab8052988c78137ab64133dd7de68ec157bdf1a37cce9b9
                            • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                            • Instruction Fuzzy Hash: BBB195716012548FC3A0CF29C9842547BA2FF8A32CB795A9DC4548F656E337D847CBD1
                            Function 6C8DE810 Relevance: .3, Instructions: 296COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                            • Instruction ID: a6ec6a367b4f2db21c27d74d3c34cea2d02109b8f953f368b7878ed5ef11ee7e
                            • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                            • Instruction Fuzzy Hash: 14B1AC31304B054BD334DA39CA907EAB7E1AF85358F05893DC5AA87781EF31B50ACBA4
                            Function 6C8E1AA0 Relevance: .3, Instructions: 291COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                            • Instruction ID: 4adad728741a077fb009ee82c0e348f1f3bf96627822ae247564d44a47dac672
                            • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                            • Instruction Fuzzy Hash: 05B1AA756087028BC314DF29C9806ABF7E2FFC9304F14892DE49AC7712E771A95ACB95
                            Function 6C8E99F0 Relevance: .3, Instructions: 287COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                            • Instruction ID: d12d3a70b7236f608e991bf29b480b76b8b481411e5781a38b282949a0264f53
                            • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                            • Instruction Fuzzy Hash: C9A1E57160C3518FC324DF29C5D069ABBE1AFDA308F544E2DE4DA87741E6B1E949CB42
                            Function 6C880B66 Relevance: .2, Instructions: 167COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                            • Instruction ID: ced0a757a80bd214f134ebd267ca1da4a8cbdeb1c11ceae4ac4be8550c52b653
                            • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                            • Instruction Fuzzy Hash: 0D51AF72F026099FDB18CE98DE926EDB7F2EB88308F248579D411E7B81D7749A41CB40
                            Function 6C882EC9 Relevance: .1, Instructions: 136COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                            • Instruction ID: 1c7b4e1baf8b9c00599a4707b3c5b2a2369f88cc21f69cdfada53e0911e50734
                            • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                            • Instruction Fuzzy Hash: 783114277A540103C71CCD3BCD1679F91935BD422A70ECF396C05DEF56D52CC8128154
                            Function 6C84A2D6 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c67af15a5bd6268405f1e1f9a473578968b21168f2a712082d2c798ac820515d
                            • Instruction ID: 223aeeea804124d51c6fc84a68d8d57ce19a935b3f94007d916c2d3d411a78a3
                            • Opcode Fuzzy Hash: c67af15a5bd6268405f1e1f9a473578968b21168f2a712082d2c798ac820515d
                            • Instruction Fuzzy Hash: 58F03031A19328DBCB22CB8CC945B8973B9EB49B65F1144A6E505DB650D7B0ED40C7D0
                            Function 6C84A2A5 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                            • Instruction ID: 183827e977a7ab90114b88ecfbabba8f1bff5aa6b72f21c5f29199cf02b61e02
                            • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                            • Instruction Fuzzy Hash: 6CE0863291223CEBC724CB8CC600DC9B3ECE744A04B1145BAB501E3500C270DE00D7C0
                            Function 6C89EB50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                            • API String ID: 3519838083-609671
                            • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                            • Instruction ID: 4e14e0fd5e9f7ecfef218164d9b4ba611c51e6aa3b1b53c6d8944502661a3aae
                            • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                            • Instruction Fuzzy Hash: 05D1BA31A04209DFCF25CFACDA90BEDBBB5FF45318F144969E056A3A50DB719948CBA0
                            Function 6C8B5B6F Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 151COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C8B5B74
                              • Part of subcall function 6C8B5AC2: __EH_prolog.LIBCMT ref: 6C8B5AC7
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: DJ$H K$L K$P K$T K$X K$\ K
                            • API String ID: 3519838083-3148776506
                            • Opcode ID: 1e695b17fc03ab30503818bc101f4fbde075140751d540bd7eda0f269636307e
                            • Instruction ID: 6fb0ce4eb20382ebd467c3aa2725a722d70d513500f56d156b837e78f072b47d
                            • Opcode Fuzzy Hash: 1e695b17fc03ab30503818bc101f4fbde075140751d540bd7eda0f269636307e
                            • Instruction Fuzzy Hash: 1C51733090430A9BCF30DF98C6946EEB362AB4131CB148D3AC9616BF85DB75A94AC750
                            Function 6C8B3CB2 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 347COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $ $$ K$, K$.$o
                            • API String ID: 3519838083-1786814033
                            • Opcode ID: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                            • Instruction ID: 213f08c0d1738658c666c1cf32dc0023d6322a9572adbad8fc18bcb909dd164d
                            • Opcode Fuzzy Hash: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                            • Instruction Fuzzy Hash: C9D1F431D042598BCF21CFA8CA907EEBBB1BF45308F244A6AD455BBB41CB716D49CB61
                            Function 6C886798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: __aulldiv$H_prolog
                            • String ID: >WJ$x$x
                            • API String ID: 2300968129-3162267903
                            • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                            • Instruction ID: d180364f45bf2245e5a2a53264bcd266dbd563b2d01723810502946fb0a5f62b
                            • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                            • Instruction Fuzzy Hash: 37127C71911219EFCF20DFA8CA80ADDBBB5FF08318F24896DE815A7A50DB359945CF50
                            Function 6C83A040 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                            Download Yara Rule
                            APIs
                            • _ValidateLocalCookies.LIBCMT ref: 6C83A077
                            • ___except_validate_context_record.LIBVCRUNTIME ref: 6C83A07F
                            • _ValidateLocalCookies.LIBCMT ref: 6C83A108
                            • __IsNonwritableInCurrentImage.LIBCMT ref: 6C83A133
                            • _ValidateLocalCookies.LIBCMT ref: 6C83A188
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                            • String ID: csm
                            • API String ID: 1170836740-1018135373
                            • Opcode ID: b46cfd73fdce2e86d0b9060c0403654f2fcf45147cc1ded89744d6d63949ece5
                            • Instruction ID: 97f329247ff99de7032c5be2e3c2226686da47ab548fbc64c76c427d7c16b78d
                            • Opcode Fuzzy Hash: b46cfd73fdce2e86d0b9060c0403654f2fcf45147cc1ded89744d6d63949ece5
                            • Instruction Fuzzy Hash: A341A334A00128ABCF20CFE8C990ADE7BB5BF85318F209965E8199B751D736DA15CBD0
                            Function 6C84740A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: api-ms-$ext-ms-
                            • API String ID: 0-537541572
                            • Opcode ID: f959412ba58b19c1079407a78eb73b0464eebe0f8b4eaf4a30b7562ab6f55880
                            • Instruction ID: 2899e3d45796cdb460bf421c271e76821291c733d90604f918d037679bcf80a4
                            • Opcode Fuzzy Hash: f959412ba58b19c1079407a78eb73b0464eebe0f8b4eaf4a30b7562ab6f55880
                            • Instruction Fuzzy Hash: C521DB71A05A19ABDB31866D8E40E6F3B689F4276CF164D60ED15A7B81D734EC00C6F1
                            Function 6C84C421 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetConsoleCP.KERNEL32(?,6C84B640,?), ref: 6C84C469
                            • __fassign.LIBCMT ref: 6C84C648
                            • __fassign.LIBCMT ref: 6C84C665
                            • WriteFile.KERNEL32(?,6C856026,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C84C6AD
                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C84C6ED
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C84C799
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: FileWrite__fassign$ConsoleErrorLast
                            • String ID:
                            • API String ID: 4031098158-0
                            • Opcode ID: 5e536435cac9ce31f3e1e4e9649a2f3017c4182c8dafcc710cca523ce08ef9ef
                            • Instruction ID: 739bdd6b3c699bbd5ee4eebc8836511bfbc01d1be731a4832f5433162cfbef58
                            • Opcode Fuzzy Hash: 5e536435cac9ce31f3e1e4e9649a2f3017c4182c8dafcc710cca523ce08ef9ef
                            • Instruction Fuzzy Hash: E2D1D075E0125C9FCF21DFA8CA809EDBBB9BF49314F248569E459BB302D731990ACB50
                            Function 6C702F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                            Download Yara Rule
                            APIs
                            • std::_Lockit::_Lockit.LIBCPMT ref: 6C702F95
                            • std::_Lockit::_Lockit.LIBCPMT ref: 6C702FAF
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C702FD0
                            • __Getctype.LIBCPMT ref: 6C703084
                            • std::_Facet_Register.LIBCPMT ref: 6C70309C
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C7030B7
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                            • String ID:
                            • API String ID: 1102183713-0
                            • Opcode ID: 2b1eba8b1978abd6ec744d146d3415dd83b54a65b0f72a88cbff782cebfc727d
                            • Instruction ID: 86baa95f9bddeefb3279a834cb05fe9427654526a36c4ba2351b0013f4fcef7c
                            • Opcode Fuzzy Hash: 2b1eba8b1978abd6ec744d146d3415dd83b54a65b0f72a88cbff782cebfc727d
                            • Instruction Fuzzy Hash: E14175B2E04614CFCB20CF98CA54B9ABBF1FB44718F154529D859ABB50D731A908CF90
                            Function 6C874FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: __aulldiv$__aullrem
                            • String ID:
                            • API String ID: 2022606265-0
                            • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                            • Instruction ID: 7c306437da08adaec598699ff11b5fc2e3bcfc32b0f43ec85c6d02ceddbbc149
                            • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                            • Instruction Fuzzy Hash: F9218130601319FBDF308E948D84DDF7A79EF617B8F208A29B52461690E6718D50C6F1
                            Function 6C87A6EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C87A6F1
                              • Part of subcall function 6C889173: __EH_prolog.LIBCMT ref: 6C889178
                            • __EH_prolog.LIBCMT ref: 6C87A8F9
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: IJ$WIJ$J
                            • API String ID: 3519838083-740443243
                            • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                            • Instruction ID: f28adb032ecbe9effc1a0cd42a350bec2f2f108ab5ff5a87132a9e6753aea66e
                            • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                            • Instruction Fuzzy Hash: 8E71A130900255DFDB24CFA8C584BEDB7B4BF15308F1088ADD8556BB91DB78AA49CBA1
                            Function 6C7028E0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 176COMMON
                            Download Yara Rule
                            APIs
                            • ___std_exception_destroy.LIBVCRUNTIME ref: 6C702A76
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ___std_exception_destroy
                            • String ID: U#pl$q!pl$Jbx$Jbx
                            • API String ID: 4194217158-2396675728
                            • Opcode ID: 846b09a0c2e27be7e33d2c8977f5034879a50e92c54116bf399944f498da9f35
                            • Instruction ID: e95636f968186b6c22649db09cb89eca4c9ea53811b2eb8d402921498ce4905d
                            • Opcode Fuzzy Hash: 846b09a0c2e27be7e33d2c8977f5034879a50e92c54116bf399944f498da9f35
                            • Instruction Fuzzy Hash: 4B5124F2A002048FCB20CF58CA85A9EBBF5FF88304F14886DE8499B741D735D985CB91
                            Function 6C855F7D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 6C85604D
                            • _free.LIBCMT ref: 6C856076
                            • SetEndOfFile.KERNEL32(00000000,6C854C5C,00000000,6C84B640,?,?,?,?,?,?,?,6C854C5C,6C84B640,00000000), ref: 6C8560A8
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C854C5C,6C84B640,00000000,?,?,?,?,00000000,?), ref: 6C8560C4
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: _free$ErrorFileLast
                            • String ID: 8Q
                            • API String ID: 1547350101-4022487301
                            • Opcode ID: 106e725d8f02e622e4d97042ab900d7738938487c83f3c582067d4ee1ccc0a54
                            • Instruction ID: fab285383c220d49865fc1487b6e18f5a136ad45627126f2983fca395be23b38
                            • Opcode Fuzzy Hash: 106e725d8f02e622e4d97042ab900d7738938487c83f3c582067d4ee1ccc0a54
                            • Instruction Fuzzy Hash: 0041E6B2A006059ADB719FBCCE40BCE37B5AF45368F641D60E814F7B90EBB5C4298760
                            Function 6C8C384E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C8C3853
                              • Part of subcall function 6C8C35DF: __EH_prolog.LIBCMT ref: 6C8C35E4
                              • Part of subcall function 6C8C3943: __EH_prolog.LIBCMT ref: 6C8C3948
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: ((K$<(K$L(K$\(K
                            • API String ID: 3519838083-3238140439
                            • Opcode ID: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                            • Instruction ID: 4f938a89f8eb636b233fd39c9e5749dcb1632df15548d3c874922095c034b9fb
                            • Opcode Fuzzy Hash: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                            • Instruction Fuzzy Hash: 2E212AB0901B448EC734DF6AC6446DBFBF4AF51704F108E6F80A697B50DBB4AA488B65
                            Function 6C88E418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C88E41D
                              • Part of subcall function 6C88EE40: __EH_prolog.LIBCMT ref: 6C88EE45
                              • Part of subcall function 6C88E8EB: __EH_prolog.LIBCMT ref: 6C88E8F0
                              • Part of subcall function 6C88E593: __EH_prolog.LIBCMT ref: 6C88E598
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: &qB$0aJ$A0$XqB
                            • API String ID: 3519838083-1326096578
                            • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                            • Instruction ID: 2aba2601da1ad42292cf6268299d85d743f2b3eb98d52a7fa96641c025e2902a
                            • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                            • Instruction Fuzzy Hash: 82218B71D01258AECB24DBE9DA849EDBBB4AF25318F20443DE41677B81DB784E4CCB61
                            Function 6C88E234 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: J$0J$DJ$`J
                            • API String ID: 3519838083-2453737217
                            • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                            • Instruction ID: 09ebc3b51b6def2474f32ee5db4f329cbed127a98b3312bc8a56b03e23171d06
                            • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                            • Instruction Fuzzy Hash: DD11F5B4501B64CEC720CF5AC55019AFBE4BF65708B00C92FC4A687B50CBF8A548CB85
                            Function 6C83F69A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C83F724,00000000,?,6C83F7A5,6C83A1B9,00000003,00000000), ref: 6C83F6AF
                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C83F6C2
                            • FreeLibrary.KERNEL32(00000000,?,?,6C83F724,00000000,?,6C83F7A5,6C83A1B9,00000003,00000000), ref: 6C83F6E5
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: AddressFreeHandleLibraryModuleProc
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 4061214504-1276376045
                            • Opcode ID: 09d59708901be10c891cfbdb61369113c362dd5dd762f152107125d2e63a6bd4
                            • Instruction ID: 0cb1fdc55d44573362f196047fb3d161f0c44a313cdeed490ae302cecb61c143
                            • Opcode Fuzzy Hash: 09d59708901be10c891cfbdb61369113c362dd5dd762f152107125d2e63a6bd4
                            • Instruction Fuzzy Hash: C2F01231605129FBDF219B92CB19B9E7B74EB8175DF1114A4B409E1660DB748E00EBD4
                            Function 6C837897 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog3.LIBCMT ref: 6C83789E
                            • std::_Lockit::_Lockit.LIBCPMT ref: 6C8378A9
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C837917
                              • Part of subcall function 6C8377A0: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C8377B8
                            • std::locale::_Setgloballocale.LIBCPMT ref: 6C8378C4
                            • _Yarn.LIBCPMT ref: 6C8378DA
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                            • String ID:
                            • API String ID: 1088826258-0
                            • Opcode ID: 83bbaf77c2203ef7fe174a782e4a074d5f4a4093978e9efa1bcc96d42916e703
                            • Instruction ID: 4b6ffcc85d685032e643f1c3f94592a5ccbf7f628d07feb678331a3cef0379ed
                            • Opcode Fuzzy Hash: 83bbaf77c2203ef7fe174a782e4a074d5f4a4093978e9efa1bcc96d42916e703
                            • Instruction Fuzzy Hash: 4301DA75600220CBCB22DFA48744ABC7BB1FF82604B252819D80E57780CF38AA06CBC0
                            Function 6C8B6E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $!$@
                            • API String ID: 3519838083-2517134481
                            • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                            • Instruction ID: beed1ecf025b1ba1c9b34f657d5bc8fc4d9a9df93dad9b94ceeba5ee8c273565
                            • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                            • Instruction Fuzzy Hash: FD123F74905349DFCB24CFA8C6D09DDBBB1BF09308F14886EE845ABB51DB31A995CB60
                            Function 6C882B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog__aulldiv
                            • String ID: $SJ
                            • API String ID: 4125985754-3948962906
                            • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                            • Instruction ID: dfdce8963f552f98a32531588d0a1b36912da2d5a10bfb88387397e2e3427313
                            • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                            • Instruction Fuzzy Hash: 12B15EB1D02209DFCB24CF99CA849AEBBF1FF48314F60892EE415A7B51D734AA45CB54
                            Function 6C702020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 6C837897: __EH_prolog3.LIBCMT ref: 6C83789E
                              • Part of subcall function 6C837897: std::_Lockit::_Lockit.LIBCPMT ref: 6C8378A9
                              • Part of subcall function 6C837897: std::locale::_Setgloballocale.LIBCPMT ref: 6C8378C4
                              • Part of subcall function 6C837897: _Yarn.LIBCPMT ref: 6C8378DA
                              • Part of subcall function 6C837897: std::_Lockit::~_Lockit.LIBCPMT ref: 6C837917
                              • Part of subcall function 6C702F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C702F95
                              • Part of subcall function 6C702F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C702FAF
                              • Part of subcall function 6C702F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C702FD0
                              • Part of subcall function 6C702F60: __Getctype.LIBCPMT ref: 6C703084
                              • Part of subcall function 6C702F60: std::_Facet_Register.LIBCPMT ref: 6C70309C
                              • Part of subcall function 6C702F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C7030B7
                            • std::ios_base::_Addstd.LIBCPMT ref: 6C70211B
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                            • API String ID: 3332196525-1866435925
                            • Opcode ID: 7235f09adae8cee5290b3f604087dc06094e6db337fe815cf656117737546470
                            • Instruction ID: 17cba1a56b2759a569d7c11efaa628ebca59c2edbfd536522191a19f81fb14f3
                            • Opcode Fuzzy Hash: 7235f09adae8cee5290b3f604087dc06094e6db337fe815cf656117737546470
                            • Instruction Fuzzy Hash: CE41B2B1A003099FDB00CF64C9497AABBF1FF44318F148668E919AB791E775A985CB90
                            Function 6C8861D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $CK$CK
                            • API String ID: 3519838083-2957773085
                            • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                            • Instruction ID: 9646d86868716a028ee2efbf3da455d628e5cc3af0ab87793ebac2ce90f0eacc
                            • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                            • Instruction Fuzzy Hash: F3219270E122058BCB24DFE8C6801EEF7B6FF94304F544A6EC512E7F91C7745A468A51
                            Function 6C894EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C894ECC
                              • Part of subcall function 6C87F58A: __EH_prolog.LIBCMT ref: 6C87F58F
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: :hJ$dJ$xJ
                            • API String ID: 3519838083-2437443688
                            • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                            • Instruction ID: 561fba805dc6450617fd7aca0eb88b73a391487d9702404e7344dece59c3b639
                            • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                            • Instruction Fuzzy Hash: 722197B0901B50DFC760CF6AC14429ABBF4BB29718B508D6EC0AA97F11D7B8A548CF55
                            Function 6C84B300 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C84B640,6C701DEA,00008000,6C84B640,?,?,?,6C84B1EF,6C84B640,?,00000000,6C701DEA), ref: 6C84B339
                            • GetLastError.KERNEL32(?,?,?,6C84B1EF,6C84B640,?,00000000,6C701DEA,?,6C854C0E,6C84B640,000000FF,000000FF,00000002,00008000,6C84B640), ref: 6C84B343
                            • __dosmaperr.LIBCMT ref: 6C84B34A
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ErrorFileLastPointer__dosmaperr
                            • String ID: 8Q
                            • API String ID: 2336955059-4022487301
                            • Opcode ID: 993848015561978d75693d42d2d03df010d78eca58bffe619ebc150d002267c0
                            • Instruction ID: 0b362d5f0bcad8244f8097b0b9deb84bccabc09f5225ac5d8338bf01bde1b270
                            • Opcode Fuzzy Hash: 993848015561978d75693d42d2d03df010d78eca58bffe619ebc150d002267c0
                            • Instruction Fuzzy Hash: 62012832714918ABCF258FAECD048BE3B7ADBC6328B654658F8109B680EB70D9018790
                            Function 6C88BD0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: <J$DJ$HJ$TJ$]
                            • API String ID: 0-686860805
                            • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                            • Instruction ID: d58acf16c4d91a43d4bea2c67fcc02bb2fd0cd06198d1fac8e28877ab25a52b6
                            • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                            • Instruction Fuzzy Hash: AF41B430C46299AFCF34CBA5DA908FEB770AF51308B20897DD12167E50EB35B649CB21
                            Function 6C886331 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: __aulldiv
                            • String ID:
                            • API String ID: 3732870572-0
                            • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                            • Instruction ID: 83cee45ef14d27de70dc3d94a614844ca9248e46bbb647f65ffdd3b1c987c339
                            • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                            • Instruction Fuzzy Hash: 5811A276201304BFEB314AA4CD44EAF7BBDEFD5754F10892DF24156A90C6B1AC04D720
                            Function 6C844F22 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(00000008,?,00000000,6C8489C3), ref: 6C844F27
                            • _free.LIBCMT ref: 6C844F84
                            • _free.LIBCMT ref: 6C844FBA
                            • SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6C844FC5
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ErrorLast_free
                            • String ID:
                            • API String ID: 2283115069-0
                            • Opcode ID: be4e92fbe19ed56e56121596f6293f1c0471da4d95b8f79ffad6e65410eb1e4a
                            • Instruction ID: 245dbc7344f2dd8b5f7b9af08defadad7397a0283a21e94f640fb84a2cd0094f
                            • Opcode Fuzzy Hash: be4e92fbe19ed56e56121596f6293f1c0471da4d95b8f79ffad6e65410eb1e4a
                            • Instruction Fuzzy Hash: EC11943234970C2A9B325FBD4E85D5A2569ABC637EB258F38F12497B80EF658C198110
                            Function 6C85642A Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • WriteConsoleW.KERNEL32(00000000,?,6C854C5C,00000000,00000000,?,6C8550C1,00000000,00000001,00000000,6C84B640,?,6C84C7F6,?,?,6C84B640), ref: 6C856441
                            • GetLastError.KERNEL32(?,6C8550C1,00000000,00000001,00000000,6C84B640,?,6C84C7F6,?,?,6C84B640,?,6C84B640,?,6C84C28C,6C856026), ref: 6C85644D
                              • Part of subcall function 6C85649E: CloseHandle.KERNEL32(FFFFFFFE,6C85645D,?,6C8550C1,00000000,00000001,00000000,6C84B640,?,6C84C7F6,?,?,6C84B640,?,6C84B640), ref: 6C8564AE
                            • ___initconout.LIBCMT ref: 6C85645D
                              • Part of subcall function 6C85647F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C85641B,6C8550AE,6C84B640,?,6C84C7F6,?,?,6C84B640,?), ref: 6C856492
                            • WriteConsoleW.KERNEL32(00000000,?,6C854C5C,00000000,?,6C8550C1,00000000,00000001,00000000,6C84B640,?,6C84C7F6,?,?,6C84B640,?), ref: 6C856472
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                            • String ID:
                            • API String ID: 2744216297-0
                            • Opcode ID: 5ad2032e8a08a0446d102972c9ad6253a80aa80d169597591d96a005585d93f8
                            • Instruction ID: b4735eb01bc536d72c42417aec503bf372274b504f08d7aa1d961682c25386bf
                            • Opcode Fuzzy Hash: 5ad2032e8a08a0446d102972c9ad6253a80aa80d169597591d96a005585d93f8
                            • Instruction Fuzzy Hash: BBF01236540118BBCF725FA6DC0499E3F36FB867AAF454420FA4895610CB728831DBD0
                            Function 6C86E072 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 398COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C86E077
                              • Part of subcall function 6C86DFF5: __EH_prolog.LIBCMT ref: 6C86DFFA
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: :$\
                            • API String ID: 3519838083-1166558509
                            • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                            • Instruction ID: 667b45a5acd5863f98bc86d04989d612f89e9714f585bbd6fdb86718089df65a
                            • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                            • Instruction Fuzzy Hash: 1CE1E030900208DACB30CFAACB94BEEB7B1BF15318F10492DD4956BF90EB75A549CB91
                            Function 6C8C3BED Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 373COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: x'K$|'K
                            • API String ID: 3519838083-1041342148
                            • Opcode ID: a25bbfd597e839604be9dc74c608115d2298b3d137bba62e84176c22df84cc64
                            • Instruction ID: 38baee5059b3f3b48a8825dd15432e6b75f9859b5f5c20a5475cebbb3bcd481c
                            • Opcode Fuzzy Hash: a25bbfd597e839604be9dc74c608115d2298b3d137bba62e84176c22df84cc64
                            • Instruction Fuzzy Hash: EBD1C830A447499ADB31CB68D750AFEB7B1AF9130CF204E2DD06663D90D765E98AC713
                            Function 6C843694 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog3_
                            • String ID: 8Q
                            • API String ID: 2427045233-4022487301
                            • Opcode ID: 99cbbac5ca5f03791b9866aea02b91e56b65dacfe2fd7492cc0a1a363c327e05
                            • Instruction ID: 5d3605f0d0c3589ba390008f8d14216e229a9b1653f41fd501d0bbe26d8cf21b
                            • Opcode Fuzzy Hash: 99cbbac5ca5f03791b9866aea02b91e56b65dacfe2fd7492cc0a1a363c327e05
                            • Instruction Fuzzy Hash: 8571C971D0122E9BDF318F99CA40AEEFA75EF46368F14CA29E820A7A40D775DC45C760
                            Function 6C893C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$hfJ
                            • API String ID: 3519838083-1391159562
                            • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                            • Instruction ID: 52b093d6d5b06cc8bf4e3117d73cda906a9e82cea6892476ece31489ffa2dda3
                            • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                            • Instruction Fuzzy Hash: AC913C70910258EFCB20DF99CA949DEFBF4FF18308F54492EE559A7A50D770AA48CB20
                            Function 6C888C58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C888C5D
                              • Part of subcall function 6C88761A: __EH_prolog.LIBCMT ref: 6C88761F
                              • Part of subcall function 6C887A2E: __EH_prolog.LIBCMT ref: 6C887A33
                              • Part of subcall function 6C888EA5: __EH_prolog.LIBCMT ref: 6C888EAA
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: WZJ
                            • API String ID: 3519838083-1089469559
                            • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                            • Instruction ID: 929f25dda1dec07588b907396a9f37d71f11ad160d92f202526d893e473c3f87
                            • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                            • Instruction Fuzzy Hash: 27818031D01159DFCF25DFA8DA90ADDB7B4AF18318F1048AAE41677B90DB30AE49CB61
                            Function 6C8BA3DF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog__aullrem
                            • String ID: d%K
                            • API String ID: 3415659256-3110269457
                            • Opcode ID: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                            • Instruction ID: 23b47cb63ca88af40b1216a8fa18e6b288437e759d1954f764c147390911c818
                            • Opcode Fuzzy Hash: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                            • Instruction Fuzzy Hash: BC61AD71A012099BDF21CF98C744BEEB7F5AF45309F248869D854BBB81D771DA09CBA0
                            Function 6C8B65B2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: CK$CK
                            • API String ID: 3519838083-2096518401
                            • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                            • Instruction ID: d6e2ee5e119c77ffba6dc83386628463e44909fd1ecb879467ab1156b6fdaee7
                            • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                            • Instruction Fuzzy Hash: CC519E75A00206DFDB28CFA4C9C0AEEB7B5FF89358F148929D901EB741DB74E9058B60
                            Function 6C88FF9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: <dJ$Q
                            • API String ID: 3519838083-2252229148
                            • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                            • Instruction ID: a2b4406f765641ca5799c5a390586491b52fb79e4dd427594700a45197f82840
                            • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                            • Instruction Fuzzy Hash: 46516F71904299EFCF20DF9DCA808EDB7B1BF49318F10892EE525ABA50D7319A49DB10
                            Function 6C88B9B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $D^J
                            • API String ID: 3519838083-3977321784
                            • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                            • Instruction ID: 6e70a56f60e7814068112a9bd98082f46382a62a1243705789f9e65df9d30bb9
                            • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                            • Instruction Fuzzy Hash: 04414A20A079907FD7328B2DCE50BF9BBA19F96208F148D78C4D247F85DB68598BC394
                            Function 6C89DB66 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: 8)L$8)L
                            • API String ID: 3519838083-2235878380
                            • Opcode ID: 1ee38908214ddba89c01b11f8f662c4b80f228d5f64c7dd9e77453d2deb43dcf
                            • Instruction ID: 6dc9a5f1dc5507d28651e6cbd6eafa8287c95b7704f4a84811cc6a4ab9255994
                            • Opcode Fuzzy Hash: 1ee38908214ddba89c01b11f8f662c4b80f228d5f64c7dd9e77453d2deb43dcf
                            • Instruction Fuzzy Hash: 9A51B331601600DFD7349FA9CA90BDAB7F2FF85318F54492ED19A87AA0DB717848CB58
                            Function 6C84D46E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C854C46), ref: 6C84D58B
                            • __dosmaperr.LIBCMT ref: 6C84D592
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ErrorLast__dosmaperr
                            • String ID: 8Q
                            • API String ID: 1659562826-4022487301
                            • Opcode ID: 44651254109fd52eb9234026f540f79de1adcf60fa274db7b2c3402a28fc195b
                            • Instruction ID: 8775f351046f94e7e84724ed2341b6a410252e39d553e04ecdc934825e6b6369
                            • Opcode Fuzzy Hash: 44651254109fd52eb9234026f540f79de1adcf60fa274db7b2c3402a28fc195b
                            • Instruction Fuzzy Hash: 76418B7160415CAFDB31CF6CCA806A97FF5EB4635CF15899AE8848B601DB309C11C790
                            Function 6C7026E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: U#pl$q!pl
                            • API String ID: 4218353326-2401066055
                            • Opcode ID: b004fb26c2b52375442ebedd0fcaab1a2ae25d1f25ffa9a2789461debcec7884
                            • Instruction ID: 82822e5184008d40b92e5edd900c6e074fc7c83130a102f1bbd3b424ad414fe9
                            • Opcode Fuzzy Hash: b004fb26c2b52375442ebedd0fcaab1a2ae25d1f25ffa9a2789461debcec7884
                            • Instruction Fuzzy Hash: 214191F2D002189BCB10DFA8DE84BDEBBB9FB58314F150525E808A7741E7319A48CBE1
                            Function 6C89014A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: PdJ$Q
                            • API String ID: 3519838083-3674001488
                            • Opcode ID: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                            • Instruction ID: a64d30724a5b09e10d03dd687d6cc743e7b4667b4c16cae35b286088e889a39d
                            • Opcode Fuzzy Hash: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                            • Instruction Fuzzy Hash: D041AE31D00249DBCB21DFACCA909DDB3B1FF4D318F10892EE965A7A50D3319945CBA5
                            Function 6C8A4C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: 0|J$`)L
                            • API String ID: 3519838083-117937767
                            • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                            • Instruction ID: d7c6c33f87d7830c0be3906fbe8ac09827ee0de271b64494d87afcfc9718e286
                            • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                            • Instruction Fuzzy Hash: 4841A031601745EFCF218FA4C6907EEBBA2FF85209F004C2EE05A5BB50CB316905CB51
                            Function 6C8A7CB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: __aulldiv
                            • String ID: 3333
                            • API String ID: 3732870572-2924271548
                            • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                            • Instruction ID: 9cf730a6249a7c4dec6bf3ec911f1c656503836cc45f9c366b8a4ab122aee03a
                            • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                            • Instruction Fuzzy Hash: B821A6B0A00744AED730CFA98880B6BBAFDEB64715F108D2EE146D7B44D770E9448B65
                            Function 6C8A0906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$LuJ
                            • API String ID: 3519838083-205571748
                            • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                            • Instruction ID: e4588900f5b12b21a2ccee6fdec9a0ca67230b46cf9336507707369d82e8481e
                            • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                            • Instruction Fuzzy Hash: B901C4B1E01349DADB20DFD985805AEF7B4FF55304F40882EE56AE7A40C334A905CB69
                            Function 6C87C0AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$xMJ
                            • API String ID: 3519838083-951924499
                            • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                            • Instruction ID: 39dd786a23716315f779d2d0874c8d3c98ac76093c3d466a46f9d0d82eb6d9e9
                            • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                            • Instruction Fuzzy Hash: 73117971A00209DBCB20DF99C5905AEF7B5FF18348B50C83EE469E7A01E3389A45CBA5
                            Function 6C84E298 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 6C84E2B9
                            • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C84ABAA,?,00000004,?,4B42FCB6,?,?,6C83FCFC,4B42FCB6,?), ref: 6C84E2F5
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1556376909.000000006C6B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6B0000, based on PE: true
                            • Associated: 00000007.00000002.1556344547.000000006C6B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557658138.000000006C858000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1559239542.000000006CA23000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: AllocHeap_free
                            • String ID: 8Q
                            • API String ID: 1080816511-4022487301
                            • Opcode ID: f97d92d9db7128add05d57066fdfa66726136cfaf377251a3f94f711400fc84a
                            • Instruction ID: 5396e0c60cccebcca5d5172df6aabe818c490cc80461290e5c68d4ba596f5676
                            • Opcode Fuzzy Hash: f97d92d9db7128add05d57066fdfa66726136cfaf377251a3f94f711400fc84a
                            • Instruction Fuzzy Hash: 8AF0C83160113C65DB319E2A9E00F9BB7689FC3B79B11CD3DF914A6E80DB74840183E0
                            Function 6C8AAFC7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C8AAFCC
                              • Part of subcall function 6C8AA4D1: __EH_prolog.LIBCMT ref: 6C8AA4D6
                              • Part of subcall function 6C8A914B: __EH_prolog.LIBCMT ref: 6C8A9150
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: J$0J
                            • API String ID: 3519838083-2882003284
                            • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                            • Instruction ID: d4b5653e11a077b44f3ad9d33b563e4a07cf8e235b2e5b772890d18425879009
                            • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                            • Instruction Fuzzy Hash: 9C0105B1804B50CFC325CF9AC5A42CAFBE0BB15304F90CD6EC0A657B50D7B8A508CB68
                            Function 6C8A43F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C8A43F9
                              • Part of subcall function 6C8A4320: __EH_prolog.LIBCMT ref: 6C8A4325
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: `)L$|{J
                            • API String ID: 3519838083-2198066115
                            • Opcode ID: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                            • Instruction ID: fc0f4341373aa2a0579d3615c8aa18207845a161801c5b7ad8199811d91508e4
                            • Opcode Fuzzy Hash: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                            • Instruction Fuzzy Hash: FFF05872611014BFCB059F94DD04BDEBBA9FF99314F00842AF905A6650CFB5AA15CB98
                            Function 6C89A143 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prologctype
                            • String ID: <oJ
                            • API String ID: 3037903784-2791053824
                            • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                            • Instruction ID: 8301e84505cbfadcc40f138e9d14492679a6e2c98c7d7a012a9d6f4a978d1a27
                            • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                            • Instruction Fuzzy Hash: EFE06D32B155109FDB249F4DD920BDEF7B8EF55B24F11052EE022A7B91CBB2E810C685
                            Function 6C8A74CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prologctype
                            • String ID: \~J
                            • API String ID: 3037903784-3176329776
                            • Opcode ID: 46757733936a42b96b936dd1dab949ec9d96d52f22713a54e894f9e80fe70f1d
                            • Instruction ID: fe1ff1addbc08d8c34e970f79b4ddfa7086716f8eef913fee91117a041948544
                            • Opcode Fuzzy Hash: 46757733936a42b96b936dd1dab949ec9d96d52f22713a54e894f9e80fe70f1d
                            • Instruction Fuzzy Hash: A5E0E532A069119FEB348F88C920BDEF7A4EF54B28F10441ED011A7B44CBB0A841D681
                            Function 6C8CF4AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: @ K$DJ$T)K$X/K
                            • API String ID: 0-3815299647
                            • Opcode ID: dac98d89fb1dd2bd8a0dcac61504098bca9fe61148d739192528eb0bc1c541c2
                            • Instruction ID: 142124417e03f66c9f9cd184cac9cea5d34c489467d4bc5b0bc07a17d56eab6a
                            • Opcode Fuzzy Hash: dac98d89fb1dd2bd8a0dcac61504098bca9fe61148d739192528eb0bc1c541c2
                            • Instruction Fuzzy Hash: 8291A0307043459BEB20DFA9C6507EA73A2AF6230CF148C29C8665BF85DB75E919CB52
                            Function 6C8C4E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1557738520.000000006C868000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C868000, based on PE: true
                            • Associated: 00000007.00000002.1558347408.000000006C933000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1558384526.000000006C939000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c6b0000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: D)K$H)K$P)K$T)K
                            • API String ID: 0-2262112463
                            • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                            • Instruction ID: 1d6110681c8a2556e1df13ba074ba9de530b4436f0ec25439c0625934246d94b
                            • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                            • Instruction Fuzzy Hash: 7051A231A142099BCF21CF99DA40AEEB7B1EF9531CF104C2AE81567F80DB75D988C752