Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe

Overview

General Information

Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe
renamed because original name is a hash value
Original sample name:_1.1.1.exe
Analysis ID:1580550
MD5:06d612676f808e50beef2f579321ff99
SHA1:15c1a4371d5253ed4a045920f6f7c502d9b30d9e
SHA256:61a4f5e9d34679627708b25beb4d0e475dea7d84392611a28437decbe9396c52
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe (PID: 6160 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe" MD5: 06D612676F808E50BEEF2F579321FF99)
    • #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp (PID: 6172 cmdline: "C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp" /SL5="$10474,7306651,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe" MD5: 50BE0CB95305EF8AE459BA9C46D78BDF)
      • powershell.exe (PID: 5996 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7400 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe (PID: 5356 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe" /VERYSILENT MD5: 06D612676F808E50BEEF2F579321FF99)
        • #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp (PID: 1268 cmdline: "C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp" /SL5="$10498,7306651,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe" /VERYSILENT MD5: 50BE0CB95305EF8AE459BA9C46D78BDF)
          • 7zr.exe (PID: 7256 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 7344 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 8076 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 8100 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 8096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • Conhost.exe (PID: 1016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7224 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7240 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7492 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7508 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7524 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7556 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7628 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7644 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7696 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7712 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7764 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7780 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7832 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7848 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7900 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7916 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7968 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7984 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8028 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8044 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8088 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8104 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8152 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8172 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5368 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 940 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7232 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7300 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5420 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5460 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7312 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7368 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7388 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7384 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6620 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5692 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1412 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3192 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7552 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7596 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7620 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7608 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7656 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7688 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7724 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7716 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7800 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2820 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1784 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7832 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7876 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7900 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7956 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7972 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8024 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7984 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8136 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8156 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5472 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8180 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6204 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1276 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7276 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp" /SL5="$10474,7306651,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, ParentProcessId: 6172, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5996, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7224, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7240, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp" /SL5="$10474,7306651,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, ParentProcessId: 6172, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5996, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7224, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7240, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp" /SL5="$10474,7306651,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, ParentProcessId: 6172, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5996, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcVirustotal: Detection: 37%Perma Link
Source: C:\Users\user\AppData\Local\Temp\is-HMLD3.tmp\update.vbcReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\is-SD78K.tmp\update.vbcReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeVirustotal: Detection: 12%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 90.6% probability
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2070117259.0000000003E10000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2070186077.0000000003010000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C70E090 FindFirstFileA,FindClose,FindClose,6_2_6C70E090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00216868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00216868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00217496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00217496
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000003.2020871154.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000003.2020871154.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000003.2020871154.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000003.2020871154.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000003.2020871154.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000003.2020871154.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000003.2020871154.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000003.2020871154.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000003.2020871154.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000003.2020871154.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000003.2020871154.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000003.2020871154.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000003.2020871154.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000003.2020871154.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000003.2020871154.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000003.2020871154.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000003.2020871154.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000003.2020871154.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000003.2020871154.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, 00000000.00000003.2012141350.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, 00000000.00000003.2012492273.000000007F19B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000000.2013870078.00000000001F1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000000.2026090207.00000000002DD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp.5.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, 00000000.00000003.2012141350.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, 00000000.00000003.2012492273.000000007F19B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000000.2013870078.00000000001F1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000000.2026090207.00000000002DD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp.5.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: update.vbc.2.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ#
Source: update.vbc.6.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C718810 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6C718810
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C593886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C593886
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C719450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C719450
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C593C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C593C62
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C593D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C593D62
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C593D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C593D18
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C5939CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C5939CF
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C593A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C593A6A
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C591950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6C591950
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C594754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6C594754
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C5947546_2_6C594754
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C8F8D126_2_6C8F8D12
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C864F0A6_2_6C864F0A
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C8838816_2_6C883881
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7148606_2_6C714860
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C8EB06F6_2_6C8EB06F
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C71A1336_2_6C71A133
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C827A466_2_6C827A46
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C89CB306_2_6C89CB30
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7C6D506_2_6C7C6D50
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C79AD436_2_6C79AD43
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7E8D906_2_6C7E8D90
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7CCE806_2_6C7CCE80
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7A4F116_2_6C7A4F11
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7DA8C86_2_6C7DA8C8
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7B889F6_2_6C7B889F
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7CC9F06_2_6C7CC9F0
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7C2A506_2_6C7C2A50
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7C0AD06_2_6C7C0AD0
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7C4AA06_2_6C7C4AA0
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C76840A6_2_6C76840A
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7925EC6_2_6C7925EC
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7D25C06_2_6C7D25C0
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7BE6506_2_6C7BE650
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7E26406_2_6C7E2640
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7CC6E06_2_6C7CC6E0
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7EC7006_2_6C7EC700
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7E67C06_2_6C7E67C0
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7D20506_2_6C7D2050
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7660926_2_6C766092
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7CA1F06_2_6C7CA1F0
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7D02806_2_6C7D0280
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7D03806_2_6C7D0380
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C779CE06_2_6C779CE0
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7C9D106_2_6C7C9D10
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7E7DE06_2_6C7E7DE0
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7D1EF06_2_6C7D1EF0
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C79DEEF6_2_6C79DEEF
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C765EC96_2_6C765EC9
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C74BEA16_2_6C74BEA1
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7E78706_2_6C7E7870
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7D98206_2_6C7D9820
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7C18106_2_6C7C1810
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7DF8D06_2_6C7DF8D0
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7978966_2_6C797896
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C74B9726_2_6C74B972
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7DB9506_2_6C7DB950
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7DD9306_2_6C7DD930
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7ED91A6_2_6C7ED91A
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7C99006_2_6C7C9900
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7E99996_2_6C7E9999
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7A3A526_2_6C7A3A52
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7EDA006_2_6C7EDA00
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7D7AA06_2_6C7D7AA0
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C763B666_2_6C763B66
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7E1BC06_2_6C7E1BC0
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C753BCA6_2_6C753BCA
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7BDB906_2_6C7BDB90
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7D14D06_2_6C7D14D0
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7AB4AC6_2_6C7AB4AC
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7D74896_2_6C7D7489
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7B55216_2_6C7B5521
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7DB5206_2_6C7DB520
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7C75D06_2_6C7C75D0
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7CF5806_2_6C7CF580
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7C55806_2_6C7C5580
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7E16006_2_6C7E1600
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7E76C06_2_6C7E76C0
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7AF7F36_2_6C7AF7F3
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C74F7CF6_2_6C74F7CF
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7E97C06_2_6C7E97C0
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7D97A06_2_6C7D97A0
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7C30206_2_6C7C3020
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7D10E06_2_6C7D10E0
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7DB2006_2_6C7DB200
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7DF2A06_2_6C7DF2A0
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7D67506_2_6C7D6750
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7D9AF06_2_6C7D9AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002581EC10_2_002581EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002981C010_2_002981C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002A824010_2_002A8240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0028425010_2_00284250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002AC3C010_2_002AC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002A04C810_2_002A04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0028865010_2_00288650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0026094310_2_00260943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0028C95010_2_0028C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00288C2010_2_00288C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002A0E0010_2_002A0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002A4EA010_2_002A4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002710AC10_2_002710AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0029D08910_2_0029D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002A112010_2_002A1120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0029518010_2_00295180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002A91C010_2_002A91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0028D1D010_2_0028D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002AD2C010_2_002AD2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002753F310_2_002753F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002153CF10_2_002153CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002AD47010_2_002AD470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0025D49610_2_0025D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002A54D010_2_002A54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0021157210_2_00211572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002A155010_2_002A1550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0026965210_2_00269652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0029D6A010_2_0029D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0022976610_2_00229766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002197CA10_2_002197CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002AD9E010_2_002AD9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00211AA110_2_00211AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00295E8010_2_00295E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00295F8010_2_00295F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0022E00A10_2_0022E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002922E010_2_002922E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002B230010_2_002B2300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0027E49F10_2_0027E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002925F010_2_002925F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0028A6A010_2_0028A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002866D010_2_002866D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002AE99010_2_002AE990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00292A8010_2_00292A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0026AB1110_2_0026AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00296CE010_2_00296CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002970D010_2_002970D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0027B12110_2_0027B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0028B18010_2_0028B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002A720010_2_002A7200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0029F3A010_2_0029F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0023B3E410_2_0023B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002AF3C010_2_002AF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0029F42010_2_0029F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0028741010_2_00287410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002A353010_2_002A3530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0028F50010_2_0028F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002B351A10_2_002B351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002AF59910_2_002AF599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002B360110_2_002B3601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0028379010_2_00283790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002A77C010_2_002A77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0023F8E010_2_0023F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0028F91010_2_0028F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00263AEF10_2_00263AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00297AF010_2_00297AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0022BAC910_2_0022BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00297C5010_2_00297C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0022BC9210_2_0022BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0028FDF010_2_0028FDF0
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Windows NT\hrsw.vbc 34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: String function: 6C7E9F10 appears 728 times
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: String function: 6C74C240 appears 53 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 002AFB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00211E40 appears 172 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 002128E3 appears 34 times
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, 00000000.00000000.2010653059.00000000004A9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName5uozhUfZ2GpEsNsJ.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, 00000000.00000003.2012492273.000000007F49A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName5uozhUfZ2GpEsNsJ.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, 00000000.00000003.2012141350.000000000350E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName5uozhUfZ2GpEsNsJ.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeBinary or memory string: OriginalFileName5uozhUfZ2GpEsNsJ.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal96.evad.winEXE@147/31@0/0
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C719450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C719450
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00219313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_00219313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00223D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00223D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00219252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_00219252
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C718930 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,Process32NextW,6_2_6C718930
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpFile created: C:\Program Files (x86)\Windows NT\is-Q6GSS.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7460:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7824:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8052:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7864:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7744:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7224:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7720:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7652:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7352:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7788:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7992:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7856:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6172:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7924:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6568:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7516:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2272:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:384:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7968:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7248:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8112:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7616:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7932:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8180:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5548:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8016:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8152:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7284:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7288:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-D28FV.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeVirustotal: Detection: 12%
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp "C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp" /SL5="$10474,7306651,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe"
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp "C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp" /SL5="$10498,7306651,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp "C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp" /SL5="$10474,7306651,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp "C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp" /SL5="$10498,7306651,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeStatic file information: File size 8261016 > 1048576
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2070117259.0000000003E10000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2070186077.0000000003010000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002957D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_002957D0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x343bf5
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeStatic PE information: real checksum: 0x0 should be: 0x7e8f27
Source: update.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343bf5
Source: update.vbc.2.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp.0.drStatic PE information: section name: .didata
Source: update.vbc.2.drStatic PE information: section name: .00cfg
Source: update.vbc.2.drStatic PE information: section name: .voltbl
Source: update.vbc.2.drStatic PE information: section name: .aQ#
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ#
Source: update.vbc.6.drStatic PE information: section name: .00cfg
Source: update.vbc.6.drStatic PE information: section name: .voltbl
Source: update.vbc.6.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C71BDDB push ecx; ret 6_2_6C71BDEE
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C5C0F00 push ss; retn 0001h6_2_6C5C0F0A
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C74E9F4 push 004AC35Ch; ret 6_2_6C74EA0E
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7EA290 push eax; ret 6_2_6C7EA2BE
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7E9F10 push eax; ret 6_2_6C7E9F2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002145F4 push 002BC35Ch; ret 10_2_0021460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002AFB10 push eax; ret 10_2_002AFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002AFE90 push eax; ret 10_2_002AFEBE
Source: update.vbc.2.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: update.vbc.6.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-HMLD3.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-HMLD3.tmp\update.vbcJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SD78K.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SD78K.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SD78K.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-HMLD3.tmp\update.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5704Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4000Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpWindow / User API: threadDelayed 637Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpWindow / User API: threadDelayed 656Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpWindow / User API: threadDelayed 565Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HMLD3.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HMLD3.tmp\update.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SD78K.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SD78K.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.5 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7196Thread sleep time: -10145709240540247s >= -30000sJump to behavior
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C70E090 FindFirstFileA,FindClose,FindClose,6_2_6C70E090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00216868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00216868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00217496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00217496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00219C60 GetSystemInfo,10_2_00219C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000002.2041228923.0000000000ADE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000002.2041228923.0000000000ADE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000002.2041228923.0000000000ADE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C593886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6C593886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C723871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C723871
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002957D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_002957D0
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C72D456 mov eax, dword ptr fs:[00000030h]6_2_6C72D456
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C72D425 mov eax, dword ptr fs:[00000030h]6_2_6C72D425
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C72286D mov eax, dword ptr fs:[00000030h]6_2_6C72286D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C723871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C723871
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C71C3AD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6C71C3AD

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmpCode function: 6_2_6C7EA720 cpuid 6_2_6C7EA720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0021AB2A GetSystemTimeAsFileTime,10_2_0021AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002B0090 GetVersion,10_2_002B0090

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory431
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution		Logon Script (Windows)111
Process Injection		241
Virtualization/Sandbox Evasion		Security Account Manager241
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Native API		Login Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem45
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580550 Sample: #U5b89#U88c5#U7a0b#U5e8f_1.... Startdate: 25/12/2024 Architecture: WINDOWS Score: 96 99 Multi AV Scanner detection for dropped file 2->99 101 Multi AV Scanner detection for submitted file 2->101 103 Found driver which could be used to inject code into processes 2->103 105 3 other signatures 2->105 11 #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe 2 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 30 other processes 2->18 process3 file4 97 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, PE32 11->97 dropped 20 #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp 3 5 11->20         started        24 sc.exe 1 14->24         started        26 sc.exe 1 16->26         started        28 sc.exe 1 18->28         started        30 sc.exe 1 18->30         started        32 sc.exe 1 18->32         started        34 26 other processes 18->34 process5 file6 83 C:\Users\user\AppData\Local\...\update.vbc, PE32 20->83 dropped 85 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->85 dropped 107 Adds a directory exclusion to Windows Defender 20->107 36 #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe 2 20->36         started        39 powershell.exe 23 20->39         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 25 other processes 34->54 signatures7 process8 file9 87 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, PE32 36->87 dropped 56 #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp 4 15 36->56         started        109 Loading BitLocker PowerShell Module 39->109 60 conhost.exe 39->60         started        62 WmiPrvSE.exe 39->62         started        signatures10 process11 file12 89 C:\Users\user\AppData\Local\...\update.vbc, PE32 56->89 dropped 91 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 56->91 dropped 93 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 56->93 dropped 95 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 56->95 dropped 111 Query firmware table information (likely to detect VMs) 56->111 113 Protects its processes via BreakOnTermination flag 56->113 115 Hides threads from debuggers 56->115 117 Contains functionality to hide a thread from the debugger 56->117 64 7zr.exe 2 56->64         started        67 cmd.exe 56->67         started        69 7zr.exe 7 56->69         started        signatures13 process14 file15 81 C:\Program Files (x86)\...\tProtect.dll, PE32+ 64->81 dropped 71 conhost.exe 64->71         started        73 sc.exe 67->73         started        75 Conhost.exe 67->75         started        77 conhost.exe 69->77         started        process16 process17 79 conhost.exe 73->79         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe12%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc26%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc38%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll6%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-HMLD3.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-HMLD3.tmp\update.vbc26%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-SD78K.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-SD78K.tmp\update.vbc26%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exefalse
      		high
      https://www.remobjects.com/ps#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, 00000000.00000003.2012141350.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, 00000000.00000003.2012492273.000000007F19B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000000.2013870078.00000000001F1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000000.2026090207.00000000002DD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp.5.drfalse
        		high
        https://www.innosetup.com/#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, 00000000.00000003.2012141350.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, 00000000.00000003.2012492273.000000007F19B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000002.00000000.2013870078.00000000001F1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp, 00000006.00000000.2026090207.00000000002DD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp.5.drfalse
          		high

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1580550
          Start date and time:2024-12-25 04:29:08 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 9m 24s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:110
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Critical Process Termination
          Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe
          renamed because original name is a hash value
          Original Sample Name:_1.1.1.exe
          Detection:MAL
          Classification:mal96.evad.winEXE@147/31@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 74%
          • Number of executed functions: 27
          • Number of non-executed functions: 120
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe
          • Excluded IPs from analysis (whitelisted): 4.245.163.56
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, dns.msftncsi.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtCreateKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          22:29:57API Interceptor1x Sleep call for process: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp modified
          22:30:00API Interceptor24x Sleep call for process: powershell.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          bg.microsoft.map.fastly.netIoIB9gQ6OQ.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
          • 199.232.210.172
          eCompleted_419z.pdfGet hashmaliciousHTMLPhisherBrowse
          • 199.232.214.172
          3FG4bsfkEwmxFYY.exeGet hashmaliciousFormBookBrowse
          • 199.232.214.172
          #U5b89#U88c5#U52a9#U624b1.0.3.exeGet hashmaliciousUnknownBrowse
          • 199.232.214.172
          eCompleted_419z.pdfGet hashmaliciousUnknownBrowse
          • 199.232.210.172
          Onboard Training Checklist v1.1 - Wyatt Young (1).xlsxGet hashmaliciousUnknownBrowse
          • 199.232.214.172
          94e.exeGet hashmaliciousRemcosBrowse
          • 199.232.214.172
          https://liladelman.com/rental/1218-west-side-road-block-island/Get hashmaliciousUnknownBrowse
          • 199.232.210.172
          7q551ugrWe.exeGet hashmaliciousUltraVNCBrowse
          • 199.232.210.172
          T8xrZb7nBL.exeGet hashmaliciousUltraVNCBrowse
          • 199.232.210.172

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U52a9#U624b2.0.6.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U52a9#U624b2.0.7.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U52a9#U624b2.0.5.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b2.0.4.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b2.0.2.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b2.0.3.exeGet hashmaliciousUnknownBrowse
                            #U5b89#U88c5#U52a9#U624b2.0.1.exeGet hashmaliciousUnknownBrowse
                              C:\Program Files (x86)\Windows NT\hrsw.vbc#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
                                #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse
                                  #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse

                                    Created / dropped Files

                                    C:\Program Files (x86)\Windows NT\7zr.exe

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp
                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):831200
                                    Entropy (8bit):6.671005303304742
                                    Encrypted:false
                                    SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                    MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                    SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                    SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                    SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                    Joe Sandbox View:
                                    • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U52a9#U624b2.0.6.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U52a9#U624b2.0.7.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U52a9#U624b2.0.5.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U52a9#U624b2.0.4.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U52a9#U624b2.0.2.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U52a9#U624b2.0.3.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U52a9#U624b2.0.1.exe, Detection: malicious, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                                    C:\Program Files (x86)\Windows NT\file.dat (copy)

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2434305
                                    Entropy (8bit):7.999911103635125
                                    Encrypted:true
                                    SSDEEP:49152:6lJ5SghE/weg93yjX8t1gjLVZF/00I5kP72HKa8WH0OYyH:Yg6E/PgTgjfFc0I5w72HR8DyH
                                    MD5:439D701143D3AE93C0ECF7FC66A64290
                                    SHA1:69C4D7E2740A31EF5BC2B1007171DDB68CCDF631
                                    SHA-256:1E141DC505AD46078370F7A210550C80C0C04CA73CB2428E78ED7297C6A30C24
                                    SHA-512:B565EBD02609DCBC97447C92DFD7509BA87E812263B7F07A6D9B5E4FFC1A08D133FB899DDB9F342F9CD153C9F1C28284E0D57D47260983BAD7C238E72C723E5B
                                    Malicious:false
                                    Preview:.@S.....c.@\..................(.....<[..P..a....9.~.I..J.0..B..:..@r.1.$&_.....~}s.d..1....PPI....3.E^5.i..J...........X.A..gw4..I......r.6,..JP*..@@j.A<...k>~..)Y..%.....o.H...;>..R.-...rx......s.W.QU....E.i0...h...*...........O..;.........H&p.h..?'...2.X.O..%..S.3z..fcZ.*...r.'....d$(.k.h.$..M...*...k...8@Y.3.a.,......N....c...'.. ..3..].p..d...1K]......G..{.-...(...#?.SJ)...&.x.*>..../~...K....K3.....4.+wr.%..5...,...>.3..Or.. Z.....})<..b#a..3./`..0.;.y..9...T.oesq.......#n..jw/..V..9o".f........%..Z;.RS.<]..#c.l......D.?..P..8T....rch...u( .v.X_......8v.C4j..[$e.BE|..<C..(.8.a....X.z....+Y..q}d<:.`..]s..C.....uj%.T"..d`'.!gR....).sQ9..]....R.. [I.sl.....'].7..6U....i..V{.....2..*......cf...v...|.*....x....u7. ...,gY...............s....{..J..x>..........1...w..O.Ur......1..W?..U4.\..q.....:*..l....&8B....,.N...1nl.0.3......%..a.E...U.7.....g...7.U.!..,].8.i;..?#/....S..6U.y-f~OM.P|Z....`..$.......)3r..........v..-.#.-M.u...".....6..f.l.

                                    C:\Program Files (x86)\Windows NT\hrsw.vbc

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp
                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):3621376
                                    Entropy (8bit):7.006090025798393
                                    Encrypted:false
                                    SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                    MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                    SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                    SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                    SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 26%
                                    • Antivirus: Virustotal, Detection: 38%, Browse
                                    Joe Sandbox View:
                                    • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                    C:\Program Files (x86)\Windows NT\is-Q6GSS.tmp

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2434305
                                    Entropy (8bit):7.999911103635125
                                    Encrypted:true
                                    SSDEEP:49152:6lJ5SghE/weg93yjX8t1gjLVZF/00I5kP72HKa8WH0OYyH:Yg6E/PgTgjfFc0I5w72HR8DyH
                                    MD5:439D701143D3AE93C0ECF7FC66A64290
                                    SHA1:69C4D7E2740A31EF5BC2B1007171DDB68CCDF631
                                    SHA-256:1E141DC505AD46078370F7A210550C80C0C04CA73CB2428E78ED7297C6A30C24
                                    SHA-512:B565EBD02609DCBC97447C92DFD7509BA87E812263B7F07A6D9B5E4FFC1A08D133FB899DDB9F342F9CD153C9F1C28284E0D57D47260983BAD7C238E72C723E5B
                                    Malicious:false
                                    Preview:.@S.....c.@\..................(.....<[..P..a....9.~.I..J.0..B..:..@r.1.$&_.....~}s.d..1....PPI....3.E^5.i..J...........X.A..gw4..I......r.6,..JP*..@@j.A<...k>~..)Y..%.....o.H...;>..R.-...rx......s.W.QU....E.i0...h...*...........O..;.........H&p.h..?'...2.X.O..%..S.3z..fcZ.*...r.'....d$(.k.h.$..M...*...k...8@Y.3.a.,......N....c...'.. ..3..].p..d...1K]......G..{.-...(...#?.SJ)...&.x.*>..../~...K....K3.....4.+wr.%..5...,...>.3..Or.. Z.....})<..b#a..3./`..0.;.y..9...T.oesq.......#n..jw/..V..9o".f........%..Z;.RS.<]..#c.l......D.?..P..8T....rch...u( .v.X_......8v.C4j..[$e.BE|..<C..(.8.a....X.z....+Y..q}d<:.`..]s..C.....uj%.T"..d`'.!gR....).sQ9..]....R.. [I.sl.....'].7..6U....i..V{.....2..*......cf...v...|.*....x....u7. ...,gY...............s....{..J..x>..........1...w..O.Ur......1..W?..U4.\..q.....:*..l....&8B....,.N...1nl.0.3......%..a.E...U.7.....g...7.U.!..,].8.i;..?#/....S..6U.y-f~OM.P|Z....`..$.......)3r..........v..-.#.-M.u...".....6..f.l.

                                    C:\Program Files (x86)\Windows NT\locale.bin

                                    Download File
                                    Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):56562
                                    Entropy (8bit):7.996726541844029
                                    Encrypted:true
                                    SSDEEP:1536:qw5bNxKEVXFs8rn/DPuaTawqNQKHTxJSg3q:qw5bOSVs8bDPuaTlqNXHdJI
                                    MD5:D8EA72A4635ADBE748E3708D4B946A76
                                    SHA1:5659E7D4E5A8E90F557F8D20402B7B59CAD95DD6
                                    SHA-256:FE773A943E3013C31BA50A9B44A0D025BD3320F3C0EDC8F54220831029C94788
                                    SHA-512:45A47045369B42F557B089A1FAD0FE2A09E415E6EDCDBFAB4BEEBAB3D817D7497A9A132D6092882D9D447EF4953075D8B8FDD8BCD3D3891A867B19F63BBB6197
                                    Malicious:false
                                    Preview:.@S......A.\ ...............S?............8..g".4$.^.P.0o...d.-..;..r. ..../K.O&...4.ed...-@.<................S."].........8..#......h.=.k..}................ u...F..D....4"`..#F..<w..jb|..q..C..>7F.QX&...!.o...9.....I....Q?ZW..'-.......I...b.=.$!...-./..x..CR...[<+..YT...2...v.0....~.@..u.jods.C.s......./+....`u.X.......W....D|....nM3...k...cp.....;@...-...F.*.q.t..$.sV86.K....-.=....u..NCs......s.S]4.....x7I..xl..G..L0.+Q5....j.b`..}d.Q....F...N..[.u.T..(.W..jU..0_!`.,xm.;#...+.......cy...y....~.f..b=Ws.6......4....... .sP.....).%hH....Q.....l.N.T.+...T.H..E.XXzD.@.zuz2K...0G....zw.[.0...v.{.%#].......X...(..W.O....>0[,.a...Dx.=..,... ..\)@.].6..^.+3.<..c...!3..aB..>.P.hn..]./.\....f.f...8..4.....b.J..P(......H0tP.1.-.5.H..0...sn.*....E..../.#5....B~...`X...?..../...T.F#...r...S.aQk=Ia.4*.?J....0}...u...|1"0..1....D7-.;......~."1....R....7.....%.\k...&....9....Xj..g..J..(C.B-.d..#G..k.[...A6+..(..\F...".*..G#>0.2..

                                    C:\Program Files (x86)\Windows NT\locale.dat

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp
                                    File Type:7-zip archive data, version 0.4
                                    Category:dropped
                                    Size (bytes):56562
                                    Entropy (8bit):7.996726541844026
                                    Encrypted:true
                                    SSDEEP:1536:sz38cFjoDsbcovdwKsvK0Z9Xx419XE1+3KGP8:M38+UD5W2jpXx4rL3KGP8
                                    MD5:2F5C3144FC7A57E77A5C11D8D94D0129
                                    SHA1:B865F8810DE3A4CC2CEDFFD38479660ADBD6B9FD
                                    SHA-256:7C342958F61F1A859412FE8FF0AF7DF58143592C54D036386085F648BABF0EA7
                                    SHA-512:8882F2B6ABA02C4C6A866EA4F6DE8D1F480B703D5E077B397A43134865ECDB297D9287B9BD8D6341AF14BC0947AAD900744BF86E49BD1343EE35B196F0ECC702
                                    Malicious:false
                                    Preview:7z..'....].........2........Y..o..hkX.YyspP.j'..1...n.....1.[.[..ms....PFM..(...B-xl..X..g...o..F.C@.VW...H\z...K.99...[SP.p...FL..&y.~...D...a.B..!.GP.u.\.Ok=..jy).e&..j.T..wK.1m.....5...dt...E|.o......c...`Q..[..)..`Cf...C.4....IV...IEy...+..F|.Y.e....Q,..n.y=...f..+/Gn....eq...[o3...W...t;..A...,..z....8.....:.C*..8..S..o...A.4...T.>Zc...h>k..FR#..9...D.uU.u7c...[.?.!..t.T.0.fF.$a....c........%..P.q.....k..m3.O...|JwS...l.f*j./.A]......Z.r.T..=L..b..5.#.3D=O.@..M.2.$u..D..I.Z...?..Q..b_O..Sw*/~.c....K(G......I.<.....&`.SVt....+?.:.y,.5....AX..0..,.ij...n]....".;..PL..Nf.i...........N....i'.X..5....m...@.f......7....K....x........*A...&...J...z.D<.UAb..>.._...O"....u.#5~.5.3...H...d..x.r..8;.;.y..8.s.I.i #u.W?.X=.f.dC......ak...r...%h.'. .+T.S.U.&..v..a.D..d..2A&I&.4...M34...I@2S..3.X.vky..........r'.rJ'V.5B...........(V.w-$x...r.}fy....,2..[^N.....0z..&.#.....D.F....P..~Y.}!^x.p..5./.&-.,.Z$.-..hO.te.8..p....DS.."...x[v....-..2..Tj..F.......~.yc

                                    C:\Program Files (x86)\Windows NT\locale2.bin

                                    Download File
                                    Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):56546
                                    Entropy (8bit):7.996966859255975
                                    Encrypted:true
                                    SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                    MD5:CEA69F993E1CE0FB945A98BF37A66546
                                    SHA1:7114365265F041DA904574D1F5876544506F89BA
                                    SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                    SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                    Malicious:false
                                    Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                                    C:\Program Files (x86)\Windows NT\locale2.dat

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp
                                    File Type:7-zip archive data, version 0.4
                                    Category:dropped
                                    Size (bytes):56546
                                    Entropy (8bit):7.996966859255979
                                    Encrypted:true
                                    SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                    MD5:4CB8B7E557C80FC7B014133AB834A042
                                    SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                    SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                    SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                    Malicious:false
                                    Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                                    C:\Program Files (x86)\Windows NT\locale3.bin

                                    Download File
                                    Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):31890
                                    Entropy (8bit):7.99402458740637
                                    Encrypted:true
                                    SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                    MD5:8622FC7228777F64A47BD6C61478ADD9
                                    SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                    SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                    SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                    Malicious:false
                                    Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                                    C:\Program Files (x86)\Windows NT\locale3.dat

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp
                                    File Type:7-zip archive data, version 0.4
                                    Category:dropped
                                    Size (bytes):31890
                                    Entropy (8bit):7.99402458740637
                                    Encrypted:true
                                    SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                    MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                    SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                    SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                    SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                    Malicious:false
                                    Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                                    C:\Program Files (x86)\Windows NT\locale4.bin

                                    Download File
                                    Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):74960
                                    Entropy (8bit):7.99759370165655
                                    Encrypted:true
                                    SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                    MD5:950338D50B95A25F494EE74E97B7B7A9
                                    SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                    SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                    SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                    Malicious:false
                                    Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                                    C:\Program Files (x86)\Windows NT\locale4.dat

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp
                                    File Type:7-zip archive data, version 0.4
                                    Category:dropped
                                    Size (bytes):74960
                                    Entropy (8bit):7.997593701656546
                                    Encrypted:true
                                    SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                    MD5:059BA7C31F3E227356CA5F29E4AA2508
                                    SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                    SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                    SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                    Malicious:false
                                    Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                                    C:\Program Files (x86)\Windows NT\locale7.bin

                                    Download File
                                    Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):29730
                                    Entropy (8bit):7.994290657653607
                                    Encrypted:true
                                    SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                    MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                    SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                    SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                    SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                    Malicious:false
                                    Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                                    C:\Program Files (x86)\Windows NT\locale7.dat

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp
                                    File Type:7-zip archive data, version 0.4
                                    Category:dropped
                                    Size (bytes):29730
                                    Entropy (8bit):7.994290657653608
                                    Encrypted:true
                                    SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                    MD5:A9C8A3E00692F79E1BA9693003F85D18
                                    SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                    SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                    SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                    Malicious:false
                                    Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                                    C:\Program Files (x86)\Windows NT\res.dat

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp
                                    File Type:7-zip archive data, version 0.4
                                    Category:dropped
                                    Size (bytes):2434305
                                    Entropy (8bit):7.999911103635131
                                    Encrypted:true
                                    SSDEEP:49152:ksG4XhcOJArfFKjwEbdY/3aNIzcsI4hhRNAlUEgiEM1v4Lhf:lG4XhdArfU7dY/nzcEhhTAlU7M1v4L9
                                    MD5:DD8E36D6084DA01635B95172915EF458
                                    SHA1:82F422DFAE2A8CE38052D243233BCE61CD7696FA
                                    SHA-256:E25F6C9D3E88919670374B34C90E3E5719C13D48A9C4919E79222BEFFA305F21
                                    SHA-512:4D23C6BAFF88392B98446E3FFF51D64BA018EED37EE1F7EE6878138DE03F099E5605E8B1272EE87B94F366E864EF895B5BDEA44BA0488A19CAE2D0D0439DDA58
                                    Malicious:false
                                    Preview:7z..'.....c..$%.....A.......V. ...<.&....<.!7P.a<e.K.W.+..{....2\..F..u..,i.....Y..w...:.j....!!...._+[..3.....>..b..du.t./...;..o... ;..nj..x....[N...E...........GD.w.\.5.....-....k.&W.C.K..@q>6.......DBk8.B...!.....`.[%.ToL.5.....y"...pJ.yl.....As..n...s...r^......p...2..v|....p!....I...w. 8.Z.\..U..Hw/....r...&f.;.HE.C,.,u..'........G....o_.......*.[...G...x.8....UP..\...U9*o...5....7...FD..@!2..;.B' ....)..W..<...ox.F.B.?...<.Ym...$~]..t,^.j."8.1}.K.mv.r..H....p./..zA.6(...-..Gk...29Dv.K><..F..5.....m9.L..=}/. .@.AO....<5.j...;.-Z...S.R..Z0)tF\......;..3.......\:.(.z...R:O..'..eK...M`......V.=:..z*J..jl0-V...y.._.......sJ.h.|...F../}w)*.0.......Gg.....z_..v'...|.6.9..u..yv*>w.{..c..-z.X...7...8<:..4t?......r.R...s.k....7...L]VD....C.T_..=..,w.kVs.}/..d\..K*........!#jtIk....d5..!..m.#k.NDM..].E_r(..X+.^. .j]...^...DD.....g .`...u.l...FC#Q.KV]........g....FL...iOE,.G\......^........lK.DJx.!....3).....QF...7....@.A.\K7.G.a\..Z..f.|

                                    C:\Program Files (x86)\Windows NT\tProtect.dll

                                    Download File
                                    Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                    File Type:PE32+ executable (native) x86-64, for MS Windows
                                    Category:dropped
                                    Size (bytes):63640
                                    Entropy (8bit):6.482810107683822
                                    Encrypted:false
                                    SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                    MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                    SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                    SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                    SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 9%
                                    • Antivirus: Virustotal, Detection: 6%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                                    C:\Program Files (x86)\Windows NT\task.xml

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp
                                    File Type:ASCII text
                                    Category:dropped
                                    Size (bytes):4096
                                    Entropy (8bit):3.344567528038744
                                    Encrypted:false
                                    SSDEEP:48:dXKLzDlniPLL6w0QldOVQOj933ODOiTdKbKsz72eW+5yF:dXazDlniP6whldOVQOj6dKbKsz7
                                    MD5:AE3812B9995E6A5AF22288E194BAAA96
                                    SHA1:39FC47ACD37354E4266CA3B4196F2A588B2BA9E9
                                    SHA-256:253E19D5392A7ACB8800D53EE906CD29322773B2639732903157BE85EBA14D5F
                                    SHA-512:64B8984DA418779CAB5EC59E9329271CD89C664E7BF147F5D32678A958D69C301D56A78A2ECCF4C4D94462264E337279ECE35CC32DFE550A87CD22321819E0B8
                                    Malicious:false
                                    Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\turminoob</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkA

                                    C:\Program Files (x86)\Windows NT\trash

                                    Download File
                                    Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2184132
                                    Entropy (8bit):7.999925903646515
                                    Encrypted:true
                                    SSDEEP:49152:fGPhAzdPzU0JTVTUkImy7ld3iMXHlMmGs9UNcm2Sw2/CakpaSQX:fG5s9FVTU8I1XHTGs9UNcmaVEN
                                    MD5:C5F70305CDF398DF254E23E7A801280C
                                    SHA1:951A3C19FB69B3D0745D369EF954A065A1A7799F
                                    SHA-256:6CBD9E1A0C46F964CCCE24BFF7DDA6096EA9EC1EB71B3036FD4ADB7192C480A8
                                    SHA-512:8459A772AF12A7B9566F4118DC29DACFA4221B45CCB21C17DBE35CD478417E4562FCF9479354D8572464F0697F0E1C09E3084AD86C390A5EC32798BCB0C9677E
                                    Malicious:false
                                    Preview:..h..`..0;. ...4d.....j.".Qj..8a.......b....C/...x..<...C...|3....p........[........8.....MS.;.\.Q^...<.."#.).F.>vL.R.e>.....k.....H...P........[..v'}....;h..A...i.rURT.@..[.Mg.....V.v...d.?BR..>..R..,.e.]x.8]~.?c..U.?p%....U..Tn)..d.#.6..T..cd.>.U.F.y1.:.v>l.....[e.aMGj..I.>...F{..V. .J...'..?..w\..<....G...tH.....A.U.. ...o.s.).....i.j....^.BY.w...../.*..-.L..P.Q...x:.kV[>.\.B:a..;A..K.......=."....*...B..xQ..g.MC....6..{...TP..e...e.h...A..~.RBt...X.?-1V...t.8.(..6...o...I..0.@....r.....?.V..($..c..q..!...~.8..]...FAR5a.)V.4.;......<..U.k...m.Ay...?..kPpy'b..Zh..C=. nc.K.c......:G.P.Z.l..r..T....y...c.........^.?U.0....z..uEE...#.&]....*&..Z...J*7T.4a.9}.;..]........L.F{.....^Y..&...@.P.f..Gur.3..W ...V..<A..<....#w...x......G..r..W..+.=...d.Z.[_.s3....E."{.....&I....X,...~.....?.hL.#...Z!.t..\.%..s...N.>A..^F.t..x......x.l.9....E...w#.bp..<.".)!.\H*"i....4...Qp.2.....8....Sd.K........zR....E..8.A.Y..UIl6..j

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):64
                                    Entropy (8bit):1.1940658735648508
                                    Encrypted:false
                                    SSDEEP:3:NlllulJnp/p:NllU
                                    MD5:BC6DB77EB243BF62DC31267706650173
                                    SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                    SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                    SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                    Malicious:false
                                    Preview:@...e.................................X..............@..........

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ck31p3hy.fbn.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hvq4kyct.405.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_padzdaa4.qjt.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w3ansut4.dru.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):3366912
                                    Entropy (8bit):6.530563809097251
                                    Encrypted:false
                                    SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                    MD5:50BE0CB95305EF8AE459BA9C46D78BDF
                                    SHA1:D239F04E5AF6E2CD68206768BB89A56A7094ED69
                                    SHA-256:4C3449727A03D87CFD63F176885859957C20585EDF70F55C87BA282C78285515
                                    SHA-512:13B072A08D2FC904C801EB4ED0E08484F8285FF95F90075014A9704A9DF5F795D6EA18E50396392347233D061C947FB779D0C600746CFC8AB651297CAB49F7D9
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Virustotal, Detection: 1%, Browse
                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                    C:\Users\user\AppData\Local\Temp\is-HMLD3.tmp\_isetup\_setup64.tmp

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp
                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                    Category:dropped
                                    Size (bytes):6144
                                    Entropy (8bit):4.720366600008286
                                    Encrypted:false
                                    SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                    MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                    SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                    SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                    SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\is-HMLD3.tmp\update.vbc

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp
                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):3621376
                                    Entropy (8bit):7.006090025798393
                                    Encrypted:false
                                    SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                    MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                    SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                    SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                    SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 26%
                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\is-SD78K.tmp\_isetup\_setup64.tmp

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp
                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                    Category:dropped
                                    Size (bytes):6144
                                    Entropy (8bit):4.720366600008286
                                    Encrypted:false
                                    SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                    MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                    SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                    SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                    SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\is-SD78K.tmp\update.vbc

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp
                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):3621376
                                    Entropy (8bit):7.006090025798393
                                    Encrypted:false
                                    SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                    MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                    SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                    SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                    SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 26%
                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):3366912
                                    Entropy (8bit):6.530563809097251
                                    Encrypted:false
                                    SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                    MD5:50BE0CB95305EF8AE459BA9C46D78BDF
                                    SHA1:D239F04E5AF6E2CD68206768BB89A56A7094ED69
                                    SHA-256:4C3449727A03D87CFD63F176885859957C20585EDF70F55C87BA282C78285515
                                    SHA-512:13B072A08D2FC904C801EB4ED0E08484F8285FF95F90075014A9704A9DF5F795D6EA18E50396392347233D061C947FB779D0C600746CFC8AB651297CAB49F7D9
                                    Malicious:true
                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                    \Device\ConDrv

                                    Download File
                                    Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                    File Type:ASCII text, with CRLF, CR line terminators
                                    Category:dropped
                                    Size (bytes):406
                                    Entropy (8bit):5.117520345541057
                                    Encrypted:false
                                    SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                    MD5:9200058492BCA8F9D88B4877F842C148
                                    SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                    SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                    SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                    Malicious:false
                                    Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):7.95644950677524
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 98.04%
                                    • Inno Setup installer (109748/4) 1.08%
                                    • InstallShield setup (43055/19) 0.42%
                                    • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                    • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                    File name:#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe
                                    File size:8'261'016 bytes
                                    MD5:06d612676f808e50beef2f579321ff99
                                    SHA1:15c1a4371d5253ed4a045920f6f7c502d9b30d9e
                                    SHA256:61a4f5e9d34679627708b25beb4d0e475dea7d84392611a28437decbe9396c52
                                    SHA512:f7ea4d26ddf7f01b7a7a9984f6b9f085b532977f976d424c6876faeea1810051954bc566f0eb8b4c7da8244a96f63df5ce979f1a41e5312b3f545bad9172c1ab
                                    SSDEEP:196608:l3QMnoO6U8YybDbeBXHAO49VpjEKkMyJc5X:l3vnoO6U+beCNjHuw
                                    TLSH:91862213F2CBE43DE05D0B3B1AB2A15894FB6A616516BE1796ECB4ACCE321101D3F647
                                    File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                    File Icon

                                    Icon Hash:0c0c2d33ceec80aa

                                    Static PE Info

                                    General

                                    Entrypoint:0x4a83bc
                                    Entrypoint Section:.itext
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:6
                                    OS Version Minor:1
                                    File Version Major:6
                                    File Version Minor:1
                                    Subsystem Version Major:6
                                    Subsystem Version Minor:1
                                    Import Hash:40ab50289f7ef5fae60801f88d4541fc

                                    Entrypoint Preview

                                    Instruction
                                    push ebp
                                    mov ebp, esp
                                    add esp, FFFFFFA4h
                                    push ebx
                                    push esi
                                    push edi
                                    xor eax, eax
                                    mov dword ptr [ebp-3Ch], eax
                                    mov dword ptr [ebp-40h], eax
                                    mov dword ptr [ebp-5Ch], eax
                                    mov dword ptr [ebp-30h], eax
                                    mov dword ptr [ebp-38h], eax
                                    mov dword ptr [ebp-34h], eax
                                    mov dword ptr [ebp-2Ch], eax
                                    mov dword ptr [ebp-28h], eax
                                    mov dword ptr [ebp-14h], eax
                                    mov eax, 004A2EBCh
                                    call 00007F91F87451A5h
                                    xor eax, eax
                                    push ebp
                                    push 004A8AC1h
                                    push dword ptr fs:[eax]
                                    mov dword ptr fs:[eax], esp
                                    xor edx, edx
                                    push ebp
                                    push 004A8A7Bh
                                    push dword ptr fs:[edx]
                                    mov dword ptr fs:[edx], esp
                                    mov eax, dword ptr [004B0634h]
                                    call 00007F91F87D6B2Bh
                                    call 00007F91F87D667Eh
                                    lea edx, dword ptr [ebp-14h]
                                    xor eax, eax
                                    call 00007F91F87D1358h
                                    mov edx, dword ptr [ebp-14h]
                                    mov eax, 004B41F4h
                                    call 00007F91F873F253h
                                    push 00000002h
                                    push 00000000h
                                    push 00000001h
                                    mov ecx, dword ptr [004B41F4h]
                                    mov dl, 01h
                                    mov eax, dword ptr [0049CD14h]
                                    call 00007F91F87D2683h
                                    mov dword ptr [004B41F8h], eax
                                    xor edx, edx
                                    push ebp
                                    push 004A8A27h
                                    push dword ptr fs:[edx]
                                    mov dword ptr fs:[edx], esp
                                    call 00007F91F87D6BB3h
                                    mov dword ptr [004B4200h], eax
                                    mov eax, dword ptr [004B4200h]
                                    cmp dword ptr [eax+0Ch], 01h
                                    jne 00007F91F87DD89Ah
                                    mov eax, dword ptr [004B4200h]
                                    mov edx, 00000028h
                                    call 00007F91F87D2F78h
                                    mov edx, dword ptr [004B4200h]

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                    .rsrc0xcb0000x110000x110000818b06bcc9b4a9f99d241d588354a46False0.18778722426470587data3.723717743611554IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                    RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                    RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                    RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                    RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                    RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                    RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                    RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                    RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                    RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                    RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                    RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                    RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                    RT_STRING0xd8e000x3f8data0.3198818897637795
                                    RT_STRING0xd91f80x2dcdata0.36475409836065575
                                    RT_STRING0xd94d40x430data0.40578358208955223
                                    RT_STRING0xd99040x44cdata0.38636363636363635
                                    RT_STRING0xd9d500x2d4data0.39226519337016574
                                    RT_STRING0xda0240xb8data0.6467391304347826
                                    RT_STRING0xda0dc0x9cdata0.6410256410256411
                                    RT_STRING0xda1780x374data0.4230769230769231
                                    RT_STRING0xda4ec0x398data0.3358695652173913
                                    RT_STRING0xda8840x368data0.3795871559633027
                                    RT_STRING0xdabec0x2a4data0.4275147928994083
                                    RT_RCDATA0xdae900x10data1.5
                                    RT_RCDATA0xdaea00x310data0.6173469387755102
                                    RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                                    RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                    RT_VERSION0xdb2980x584dataEnglishUnited States0.2804532577903683
                                    RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                    Imports

                                    DLLImport
                                    kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                    comctl32.dllInitCommonControls
                                    user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                    oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                    advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                                    Exports

                                    NameOrdinalAddress
                                    __dbk_fcall_wrapper20x40fc10
                                    dbkFCallWrapperAddr10x4b063c

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Dec 25, 2024 04:30:14.529927015 CET1.1.1.1192.168.2.50x66d6No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                    Dec 25, 2024 04:30:14.529927015 CET1.1.1.1192.168.2.50x66d6No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:22:29:56
                                    Start date:24/12/2024
                                    Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe"
                                    Imagebase:0x3f0000
                                    File size:8'261'016 bytes
                                    MD5 hash:06D612676F808E50BEEF2F579321FF99
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:Borland Delphi
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:22:29:56
                                    Start date:24/12/2024
                                    Path:C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Local\Temp\is-D28FV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp" /SL5="$10474,7306651,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe"
                                    Imagebase:0x1f0000
                                    File size:3'366'912 bytes
                                    MD5 hash:50BE0CB95305EF8AE459BA9C46D78BDF
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:Borland Delphi
                                    Antivirus matches:
                                    • Detection: 1%, Virustotal, Browse
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:22:29:57
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                    Imagebase:0x7ff7be880000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:22:29:57
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:22:29:57
                                    Start date:24/12/2024
                                    Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe" /VERYSILENT
                                    Imagebase:0x3f0000
                                    File size:8'261'016 bytes
                                    MD5 hash:06D612676F808E50BEEF2F579321FF99
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:Borland Delphi
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:6
                                    Start time:22:29:58
                                    Start date:24/12/2024
                                    Path:C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Local\Temp\is-UMM4C.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.tmp" /SL5="$10498,7306651,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe" /VERYSILENT
                                    Imagebase:0x60000
                                    File size:3'366'912 bytes
                                    MD5 hash:50BE0CB95305EF8AE459BA9C46D78BDF
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:Borland Delphi
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:22:30:01
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:22:30:01
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:22:30:01
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:22:30:01
                                    Start date:24/12/2024
                                    Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                    Wow64 process (32bit):true
                                    Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                    Imagebase:0x210000
                                    File size:831'200 bytes
                                    MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 0%, ReversingLabs
                                    • Detection: 0%, Virustotal, Browse
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:22:30:01
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:12
                                    Start time:22:30:02
                                    Start date:24/12/2024
                                    Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                    Wow64 process (32bit):true
                                    Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                    Imagebase:0x210000
                                    File size:831'200 bytes
                                    MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:13
                                    Start time:22:30:02
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:14
                                    Start time:22:30:02
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                    Imagebase:0x7ff6ef0c0000
                                    File size:496'640 bytes
                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                    Has elevated privileges:true
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:15
                                    Start time:22:30:02
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:16
                                    Start time:22:30:02
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:17
                                    Start time:22:30:02
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:18
                                    Start time:22:30:02
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:19
                                    Start time:22:30:02
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:20
                                    Start time:22:30:02
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:21
                                    Start time:22:30:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:22
                                    Start time:22:30:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:23
                                    Start time:22:30:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:24
                                    Start time:22:30:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:25
                                    Start time:22:30:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:26
                                    Start time:22:30:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:27
                                    Start time:22:30:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:28
                                    Start time:22:30:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:29
                                    Start time:22:30:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:30
                                    Start time:22:30:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:31
                                    Start time:22:30:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:32
                                    Start time:22:30:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:33
                                    Start time:22:30:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:34
                                    Start time:22:30:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:35
                                    Start time:22:30:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:36
                                    Start time:22:30:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:37
                                    Start time:22:30:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:38
                                    Start time:22:30:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:39
                                    Start time:22:30:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:40
                                    Start time:22:30:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:41
                                    Start time:22:30:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:42
                                    Start time:22:30:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:43
                                    Start time:22:30:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:44
                                    Start time:22:30:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:45
                                    Start time:22:30:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:46
                                    Start time:22:30:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:47
                                    Start time:22:30:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:48
                                    Start time:22:30:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:49
                                    Start time:22:30:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:50
                                    Start time:22:30:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:51
                                    Start time:22:30:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:52
                                    Start time:22:30:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:53
                                    Start time:22:30:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:54
                                    Start time:22:30:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:55
                                    Start time:22:30:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:56
                                    Start time:22:30:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:57
                                    Start time:22:30:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:58
                                    Start time:22:30:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:59
                                    Start time:22:30:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:60
                                    Start time:22:30:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:61
                                    Start time:22:30:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:62
                                    Start time:22:30:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:63
                                    Start time:22:30:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:64
                                    Start time:22:30:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:65
                                    Start time:22:30:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:66
                                    Start time:22:30:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:67
                                    Start time:22:30:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:68
                                    Start time:22:30:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:69
                                    Start time:22:30:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:70
                                    Start time:22:30:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:71
                                    Start time:22:30:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:72
                                    Start time:22:30:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:73
                                    Start time:22:30:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:74
                                    Start time:22:30:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:75
                                    Start time:22:30:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:76
                                    Start time:22:30:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:77
                                    Start time:22:30:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:78
                                    Start time:22:30:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:79
                                    Start time:22:30:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:80
                                    Start time:22:30:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:81
                                    Start time:22:30:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:82
                                    Start time:22:30:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:83
                                    Start time:22:30:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:84
                                    Start time:22:30:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:85
                                    Start time:22:30:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:86
                                    Start time:22:30:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:87
                                    Start time:22:30:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:88
                                    Start time:22:30:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:89
                                    Start time:22:30:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:90
                                    Start time:22:30:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:91
                                    Start time:22:30:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:92
                                    Start time:22:30:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:93
                                    Start time:22:30:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:94
                                    Start time:22:30:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:95
                                    Start time:22:30:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:96
                                    Start time:22:30:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:97
                                    Start time:22:30:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:98
                                    Start time:22:30:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:99
                                    Start time:22:30:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:100
                                    Start time:22:30:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:101
                                    Start time:22:30:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:102
                                    Start time:22:30:07
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:103
                                    Start time:22:30:07
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:104
                                    Start time:22:30:07
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:105
                                    Start time:22:30:07
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:106
                                    Start time:22:30:07
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7ad020000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:107
                                    Start time:22:30:07
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:108
                                    Start time:22:30:07
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff6ef510000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:266
                                    Start time:22:30:14
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:1.2%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:5.2%
                                      Total number of Nodes:728
                                      Total number of Limit Nodes:8
                                      execution_graph 97657 6c7301c3 97658 6c7301ed 97657->97658 97659 6c7301d5 __dosmaperr 97657->97659 97658->97659 97661 6c730238 __dosmaperr 97658->97661 97662 6c730267 97658->97662 97704 6c723810 18 API calls __cftoe 97661->97704 97663 6c730280 97662->97663 97664 6c7302d7 __wsopen_s 97662->97664 97665 6c73029b __dosmaperr 97662->97665 97663->97665 97667 6c730285 97663->97667 97698 6c727eab HeapFree GetLastError _free 97664->97698 97697 6c723810 18 API calls __cftoe 97665->97697 97692 6c7350d5 97667->97692 97669 6c73042e 97672 6c7304a4 97669->97672 97675 6c730447 GetConsoleMode 97669->97675 97670 6c7302f7 97699 6c727eab HeapFree GetLastError _free 97670->97699 97674 6c7304a8 ReadFile 97672->97674 97677 6c7304c2 97674->97677 97678 6c73051c GetLastError 97674->97678 97675->97672 97679 6c730458 97675->97679 97676 6c7302fe 97690 6c7302b2 __dosmaperr __wsopen_s 97676->97690 97700 6c72e359 20 API calls __wsopen_s 97676->97700 97677->97678 97680 6c730499 97677->97680 97678->97690 97679->97674 97681 6c73045e ReadConsoleW 97679->97681 97685 6c7304e7 97680->97685 97686 6c7304fe 97680->97686 97680->97690 97681->97680 97684 6c73047a GetLastError 97681->97684 97684->97690 97702 6c7305ee 23 API calls 3 library calls 97685->97702 97687 6c730515 97686->97687 97686->97690 97703 6c7308a6 21 API calls __wsopen_s 97687->97703 97701 6c727eab HeapFree GetLastError _free 97690->97701 97691 6c73051a 97691->97690 97694 6c7350ef 97692->97694 97695 6c7350e2 97692->97695 97693 6c7350fb 97693->97669 97694->97693 97705 6c723810 18 API calls __cftoe 97694->97705 97695->97669 97697->97690 97698->97670 97699->97676 97700->97667 97701->97659 97702->97690 97703->97691 97704->97659 97705->97695 97706 6c5af150 97708 6c5aefbe 97706->97708 97707 6c5af243 CreateFileA 97711 6c5af2a7 97707->97711 97708->97707 97709 6c5b02ca 97710 6c5b02ac GetCurrentProcess TerminateProcess 97710->97709 97711->97709 97711->97710 97712 6c594b53 97870 6c71a133 97712->97870 97714 6c594b5c _Yarn 97884 6c70e090 97714->97884 97716 6c5b639e 97977 6c723820 18 API calls 2 library calls 97716->97977 97718 6c594cff 97719 6c595164 CreateFileA CloseHandle 97724 6c5951ec 97719->97724 97720 6c594bae std::ios_base::_Ios_base_dtor 97720->97716 97720->97718 97720->97719 97721 6c5a245a _Yarn _strlen 97720->97721 97721->97716 97722 6c70e090 2 API calls 97721->97722 97737 6c5a2a83 std::ios_base::_Ios_base_dtor 97722->97737 97890 6c718810 OpenSCManagerA 97724->97890 97726 6c59fc00 97969 6c718930 CreateToolhelp32Snapshot 97726->97969 97728 6c71a133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 97765 6c595478 std::ios_base::_Ios_base_dtor _Yarn _strlen 97728->97765 97731 6c70e090 2 API calls 97731->97765 97732 6c5a37d0 Sleep 97776 6c5a37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 97732->97776 97733 6c5b63b2 97978 6c5915e0 18 API calls std::ios_base::_Ios_base_dtor 97733->97978 97734 6c718930 4 API calls 97752 6c5a053a 97734->97752 97735 6c718930 4 API calls 97759 6c5a12e2 97735->97759 97737->97716 97894 6c700880 97737->97894 97738 6c5b64f8 97739 6c59ffe3 97739->97734 97744 6c5a0abc 97739->97744 97740 6c5b6ba0 104 API calls 97740->97765 97741 6c5b6e60 32 API calls 97741->97765 97743 6c718930 4 API calls 97743->97744 97744->97721 97744->97735 97746 6c718930 4 API calls 97766 6c5a1dd9 97746->97766 97747 6c5a211c 97747->97721 97748 6c5a241a 97747->97748 97751 6c700880 10 API calls 97748->97751 97749 6c70e090 2 API calls 97749->97776 97754 6c5a244d 97751->97754 97752->97743 97752->97744 97753 6c596722 97945 6c714860 25 API calls 4 library calls 97753->97945 97975 6c719450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 97754->97975 97756 6c5a2452 Sleep 97756->97721 97757 6c596162 97758 6c5a16ac 97759->97746 97759->97747 97759->97758 97760 6c59740b 97946 6c7186e0 CreateProcessA 97760->97946 97762 6c718930 4 API calls 97762->97747 97765->97716 97765->97726 97765->97728 97765->97731 97765->97740 97765->97741 97765->97753 97765->97757 97931 6c5b7090 97765->97931 97944 6c5de010 67 API calls 97765->97944 97766->97747 97766->97762 97767 6c5b7090 77 API calls 97767->97776 97769 6c59775a _strlen 97769->97716 97770 6c597ba9 97769->97770 97771 6c597b92 97769->97771 97774 6c597b43 _Yarn 97769->97774 97773 6c71a133 std::_Facet_Register 4 API calls 97770->97773 97772 6c71a133 std::_Facet_Register 4 API calls 97771->97772 97772->97774 97773->97774 97775 6c70e090 2 API calls 97774->97775 97785 6c597be7 std::ios_base::_Ios_base_dtor 97775->97785 97776->97716 97776->97749 97776->97767 97902 6c5b6ba0 97776->97902 97921 6c5b6e60 97776->97921 97976 6c5de010 67 API calls 97776->97976 97777 6c7186e0 4 API calls 97788 6c598a07 97777->97788 97778 6c599d68 97781 6c71a133 std::_Facet_Register 4 API calls 97778->97781 97779 6c599d7f 97782 6c71a133 std::_Facet_Register 4 API calls 97779->97782 97780 6c59962c _strlen 97780->97716 97780->97778 97780->97779 97783 6c599d18 _Yarn 97780->97783 97781->97783 97782->97783 97784 6c70e090 2 API calls 97783->97784 97791 6c599dbd std::ios_base::_Ios_base_dtor 97784->97791 97785->97716 97785->97777 97785->97780 97786 6c598387 97785->97786 97787 6c7186e0 4 API calls 97796 6c599120 97787->97796 97788->97787 97789 6c7186e0 4 API calls 97806 6c59a215 _strlen 97789->97806 97790 6c7186e0 4 API calls 97792 6c599624 97790->97792 97791->97716 97791->97789 97797 6c59e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 97791->97797 97950 6c719450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 97792->97950 97793 6c71a133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 97793->97797 97795 6c70e090 2 API calls 97795->97797 97796->97790 97797->97716 97797->97793 97797->97795 97798 6c59f7b1 97797->97798 97799 6c59ed02 Sleep 97797->97799 97968 6c719450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 97798->97968 97818 6c59e8c1 97799->97818 97801 6c59e8dd GetCurrentProcess TerminateProcess 97801->97797 97802 6c59a9bb 97805 6c71a133 std::_Facet_Register 4 API calls 97802->97805 97803 6c59a9a4 97804 6c71a133 std::_Facet_Register 4 API calls 97803->97804 97813 6c59a953 _Yarn _strlen 97804->97813 97805->97813 97806->97716 97806->97802 97806->97803 97806->97813 97807 6c7186e0 4 API calls 97807->97818 97808 6c59fbb8 97809 6c59fbe8 ExitWindowsEx Sleep 97808->97809 97809->97726 97810 6c59f7c0 97810->97808 97811 6c59b009 97815 6c71a133 std::_Facet_Register 4 API calls 97811->97815 97812 6c59aff0 97814 6c71a133 std::_Facet_Register 4 API calls 97812->97814 97813->97733 97813->97811 97813->97812 97816 6c59afa0 _Yarn 97813->97816 97814->97816 97815->97816 97951 6c719050 97816->97951 97818->97797 97818->97801 97818->97807 97819 6c59b059 std::ios_base::_Ios_base_dtor _strlen 97819->97716 97820 6c59b42c 97819->97820 97821 6c59b443 97819->97821 97824 6c59b3da _Yarn _strlen 97819->97824 97822 6c71a133 std::_Facet_Register 4 API calls 97820->97822 97823 6c71a133 std::_Facet_Register 4 API calls 97821->97823 97822->97824 97823->97824 97824->97733 97825 6c59b79e 97824->97825 97826 6c59b7b7 97824->97826 97829 6c59b751 _Yarn 97824->97829 97827 6c71a133 std::_Facet_Register 4 API calls 97825->97827 97828 6c71a133 std::_Facet_Register 4 API calls 97826->97828 97827->97829 97828->97829 97830 6c719050 104 API calls 97829->97830 97831 6c59b804 std::ios_base::_Ios_base_dtor _strlen 97830->97831 97831->97716 97832 6c59bc0f 97831->97832 97833 6c59bc26 97831->97833 97836 6c59bbbd _Yarn _strlen 97831->97836 97834 6c71a133 std::_Facet_Register 4 API calls 97832->97834 97835 6c71a133 std::_Facet_Register 4 API calls 97833->97835 97834->97836 97835->97836 97836->97733 97837 6c59c08e 97836->97837 97838 6c59c075 97836->97838 97841 6c59c028 _Yarn 97836->97841 97840 6c71a133 std::_Facet_Register 4 API calls 97837->97840 97839 6c71a133 std::_Facet_Register 4 API calls 97838->97839 97839->97841 97840->97841 97842 6c719050 104 API calls 97841->97842 97847 6c59c0db std::ios_base::_Ios_base_dtor _strlen 97842->97847 97843 6c59c7bc 97846 6c71a133 std::_Facet_Register 4 API calls 97843->97846 97844 6c59c7a5 97845 6c71a133 std::_Facet_Register 4 API calls 97844->97845 97854 6c59c753 _Yarn _strlen 97845->97854 97846->97854 97847->97716 97847->97843 97847->97844 97847->97854 97848 6c59d3ed 97850 6c71a133 std::_Facet_Register 4 API calls 97848->97850 97849 6c59d406 97851 6c71a133 std::_Facet_Register 4 API calls 97849->97851 97852 6c59d39a _Yarn 97850->97852 97851->97852 97853 6c719050 104 API calls 97852->97853 97855 6c59d458 std::ios_base::_Ios_base_dtor _strlen 97853->97855 97854->97733 97854->97848 97854->97849 97854->97852 97860 6c59cb2f 97854->97860 97855->97716 97856 6c59d8bb 97855->97856 97857 6c59d8a4 97855->97857 97861 6c59d852 _Yarn _strlen 97855->97861 97859 6c71a133 std::_Facet_Register 4 API calls 97856->97859 97858 6c71a133 std::_Facet_Register 4 API calls 97857->97858 97858->97861 97859->97861 97861->97733 97862 6c59dccf 97861->97862 97863 6c59dcb6 97861->97863 97866 6c59dc69 _Yarn 97861->97866 97865 6c71a133 std::_Facet_Register 4 API calls 97862->97865 97864 6c71a133 std::_Facet_Register 4 API calls 97863->97864 97864->97866 97865->97866 97867 6c719050 104 API calls 97866->97867 97869 6c59dd1c std::ios_base::_Ios_base_dtor 97867->97869 97868 6c7186e0 4 API calls 97868->97797 97869->97716 97869->97868 97872 6c71a138 97870->97872 97871 6c71a152 97871->97714 97872->97871 97875 6c71a154 std::_Facet_Register 97872->97875 97979 6c722704 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 97872->97979 97874 6c71afb3 std::_Facet_Register 97983 6c71ca69 RaiseException 97874->97983 97875->97874 97980 6c71ca69 RaiseException 97875->97980 97877 6c71b7ac IsProcessorFeaturePresent 97883 6c71b7d1 97877->97883 97879 6c71af73 97981 6c71ca69 RaiseException 97879->97981 97881 6c71af93 std::invalid_argument::invalid_argument 97982 6c71ca69 RaiseException 97881->97982 97883->97714 97885 6c70e0a4 97884->97885 97886 6c70e0a6 FindFirstFileA 97884->97886 97885->97886 97887 6c70e0e0 97886->97887 97888 6c70e0e2 FindClose 97887->97888 97889 6c70e13c 97887->97889 97888->97887 97889->97720 97891 6c718846 97890->97891 97892 6c7188be OpenServiceA 97891->97892 97893 6c718922 97891->97893 97892->97891 97893->97765 97895 6c700893 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 97894->97895 97896 6c704e71 CloseHandle 97895->97896 97897 6c5a37cb 97895->97897 97898 6c703bd1 CloseHandle 97895->97898 97900 6c6ecea0 WriteFile ReadFile WriteFile WriteFile 97895->97900 97984 6c6ec390 97895->97984 97896->97895 97901 6c719450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 97897->97901 97898->97895 97900->97895 97901->97732 97903 6c5b6bd5 97902->97903 97995 6c5e2020 97903->97995 97905 6c5b6c68 97906 6c71a133 std::_Facet_Register 4 API calls 97905->97906 97907 6c5b6ca0 97906->97907 98012 6c71aa17 97907->98012 97909 6c5b6cb4 98024 6c5e1d90 97909->98024 97911 6c5b6d8e 97911->97776 97914 6c5b6dc8 98032 6c5e26e0 24 API calls 4 library calls 97914->98032 97916 6c5b6dda 98033 6c71ca69 RaiseException 97916->98033 97918 6c5b6def 98034 6c5de010 67 API calls 97918->98034 97920 6c5b6e0f 97920->97776 97922 6c5b6e9f 97921->97922 97925 6c5b6eb3 97922->97925 98425 6c5e3560 32 API calls std::_Xinvalid_argument 97922->98425 97927 6c5b6f5b 97925->97927 98427 6c5e2250 30 API calls 97925->98427 98428 6c5e26e0 24 API calls 4 library calls 97925->98428 98429 6c71ca69 RaiseException 97925->98429 97926 6c5b6f6e 97926->97776 97927->97926 98426 6c5e37e0 32 API calls std::_Xinvalid_argument 97927->98426 97932 6c5b709e 97931->97932 97936 6c5b70d1 97931->97936 98430 6c5e01f0 97932->98430 97934 6c5b7183 97934->97765 97936->97934 98434 6c5e2250 30 API calls 97936->98434 97937 6c724208 67 API calls 97937->97936 97939 6c5b71ae 98435 6c5e2340 24 API calls 97939->98435 97941 6c5b71be 98436 6c71ca69 RaiseException 97941->98436 97943 6c5b71c9 97944->97765 97945->97760 97948 6c718770 97946->97948 97947 6c7187b0 WaitForSingleObject CloseHandle CloseHandle 97947->97948 97948->97947 97949 6c7187a4 97948->97949 97949->97769 97950->97780 97952 6c7190a7 97951->97952 98482 6c7196e0 97952->98482 97954 6c7190b8 97955 6c5b6ba0 104 API calls 97954->97955 97962 6c7190dc 97955->97962 97956 6c719157 98534 6c5de010 67 API calls 97956->98534 97958 6c71918f std::ios_base::_Ios_base_dtor 98535 6c5de010 67 API calls 97958->98535 97961 6c719144 98519 6c719280 97961->98519 97962->97956 97962->97961 98501 6c719a30 97962->98501 98509 6c5f3010 97962->98509 97963 6c7191d2 std::ios_base::_Ios_base_dtor 97963->97819 97966 6c71914c 97967 6c5b7090 77 API calls 97966->97967 97967->97956 97968->97810 97974 6c718966 std::locale::_Setgloballocale 97969->97974 97970 6c718a64 Process32NextW 97970->97974 97971 6c718a14 CloseHandle 97971->97974 97972 6c718a45 Process32FirstW 97972->97974 97973 6c718a96 97973->97739 97974->97970 97974->97971 97974->97972 97974->97973 97975->97756 97976->97776 97978->97738 97979->97872 97980->97879 97981->97881 97982->97874 97983->97877 97985 6c6ec3a3 _Yarn __wsopen_s std::locale::_Setgloballocale 97984->97985 97986 6c6ece3c 97985->97986 97988 6c6ecab9 CreateFileA 97985->97988 97989 6c6eb4d0 97985->97989 97986->97895 97988->97985 97990 6c6eb4e3 __wsopen_s std::locale::_Setgloballocale 97989->97990 97991 6c6ec206 WriteFile 97990->97991 97992 6c6eb619 WriteFile 97990->97992 97993 6c6ec377 97990->97993 97994 6c6ebc23 ReadFile 97990->97994 97991->97990 97992->97990 97993->97985 97994->97990 97996 6c71a133 std::_Facet_Register 4 API calls 97995->97996 97997 6c5e207e 97996->97997 97998 6c71aa17 43 API calls 97997->97998 97999 6c5e2092 97998->97999 98035 6c5e2f60 42 API calls 4 library calls 97999->98035 98001 6c5e210d 98004 6c5e2120 98001->98004 98036 6c71a67e 9 API calls 2 library calls 98001->98036 98002 6c5e20c8 98002->98001 98003 6c5e2136 98002->98003 98037 6c5e2250 30 API calls 98003->98037 98004->97905 98007 6c5e215b 98038 6c5e2340 24 API calls 98007->98038 98009 6c5e2171 98039 6c71ca69 RaiseException 98009->98039 98011 6c5e217c 98011->97905 98013 6c71aa23 __EH_prolog3 98012->98013 98040 6c71a5a5 98013->98040 98018 6c71aa41 98054 6c71aaaa 39 API calls std::locale::_Setgloballocale 98018->98054 98019 6c71aa9c 98019->97909 98021 6c71aa49 98055 6c71a8a1 HeapFree GetLastError _Yarn 98021->98055 98023 6c71aa5f 98046 6c71a5d6 98023->98046 98025 6c5e1ddc 98024->98025 98026 6c5b6d5d 98024->98026 98060 6c71ab37 98025->98060 98026->97911 98031 6c5e2250 30 API calls 98026->98031 98030 6c5e1e82 98031->97914 98032->97916 98033->97918 98034->97920 98035->98002 98036->98004 98037->98007 98038->98009 98039->98011 98041 6c71a5b4 98040->98041 98042 6c71a5bb 98040->98042 98056 6c723abd 6 API calls std::_Lockit::_Lockit 98041->98056 98044 6c71a5b9 98042->98044 98057 6c71bc7b EnterCriticalSection 98042->98057 98044->98023 98053 6c71a920 6 API calls 2 library calls 98044->98053 98047 6c723acb 98046->98047 98049 6c71a5e0 98046->98049 98059 6c723aa6 LeaveCriticalSection 98047->98059 98050 6c71a5f3 98049->98050 98058 6c71bc89 LeaveCriticalSection 98049->98058 98050->98019 98051 6c723ad2 98051->98019 98053->98018 98054->98021 98055->98023 98056->98044 98057->98044 98058->98050 98059->98051 98061 6c71ab40 98060->98061 98067 6c5e1dea 98061->98067 98069 6c72343a 98061->98069 98063 6c71ab8c 98063->98067 98080 6c723148 65 API calls 98063->98080 98065 6c71aba7 98065->98067 98081 6c724208 98065->98081 98067->98026 98068 6c71fc53 18 API calls __cftoe 98067->98068 98068->98030 98071 6c723445 __wsopen_s 98069->98071 98070 6c723458 98106 6c723810 18 API calls __cftoe 98070->98106 98071->98070 98072 6c723478 98071->98072 98079 6c723468 98072->98079 98092 6c72e4fc 98072->98092 98079->98063 98080->98065 98082 6c724214 __wsopen_s 98081->98082 98083 6c724233 98082->98083 98084 6c72421e 98082->98084 98088 6c72422e 98083->98088 98287 6c71fc99 EnterCriticalSection 98083->98287 98302 6c723810 18 API calls __cftoe 98084->98302 98086 6c724250 98288 6c72428c 98086->98288 98088->98067 98090 6c72425b 98303 6c724282 LeaveCriticalSection 98090->98303 98093 6c72e508 __wsopen_s 98092->98093 98108 6c723a8f EnterCriticalSection 98093->98108 98095 6c72e516 98109 6c72e5a0 98095->98109 98100 6c72e662 98101 6c72e781 98100->98101 98133 6c72e804 98101->98133 98104 6c7234bc 98107 6c7234e5 LeaveCriticalSection 98104->98107 98106->98079 98107->98079 98108->98095 98116 6c72e5c3 98109->98116 98110 6c72e523 98123 6c72e55c 98110->98123 98111 6c72e61b 98128 6c72a8d5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 98111->98128 98113 6c72e624 98129 6c727eab HeapFree GetLastError _free 98113->98129 98116->98110 98116->98111 98126 6c71fc99 EnterCriticalSection 98116->98126 98127 6c71fcad LeaveCriticalSection 98116->98127 98117 6c72e62d 98117->98110 98130 6c72a30f 6 API calls std::_Lockit::_Lockit 98117->98130 98119 6c72e64c 98131 6c71fc99 EnterCriticalSection 98119->98131 98122 6c72e65f 98122->98110 98132 6c723aa6 LeaveCriticalSection 98123->98132 98125 6c723493 98125->98079 98125->98100 98126->98116 98127->98116 98128->98113 98129->98117 98130->98119 98131->98122 98132->98125 98134 6c72e823 98133->98134 98135 6c72e836 98134->98135 98138 6c72e84b 98134->98138 98149 6c723810 18 API calls __cftoe 98135->98149 98137 6c72e797 98137->98104 98146 6c7376ce 98137->98146 98144 6c72e96b 98138->98144 98150 6c737598 37 API calls __cftoe 98138->98150 98141 6c72e9bb 98141->98144 98151 6c737598 37 API calls __cftoe 98141->98151 98143 6c72e9d9 98143->98144 98152 6c737598 37 API calls __cftoe 98143->98152 98144->98137 98153 6c723810 18 API calls __cftoe 98144->98153 98154 6c737a86 98146->98154 98149->98137 98150->98141 98151->98143 98152->98144 98153->98137 98156 6c737a92 __wsopen_s 98154->98156 98155 6c737a99 98172 6c723810 18 API calls __cftoe 98155->98172 98156->98155 98157 6c737ac4 98156->98157 98163 6c7376ee 98157->98163 98162 6c7376e9 98162->98104 98174 6c723dbb 98163->98174 98167 6c737724 98170 6c737756 98167->98170 98214 6c727eab HeapFree GetLastError _free 98167->98214 98173 6c737b1b LeaveCriticalSection __wsopen_s 98170->98173 98172->98162 98173->98162 98215 6c71f3db 98174->98215 98177 6c723ddf 98179 6c71f4e6 98177->98179 98224 6c71f53e 98179->98224 98181 6c71f4fe 98181->98167 98182 6c73775c 98181->98182 98239 6c737bdc 98182->98239 98188 6c73778e __dosmaperr 98188->98167 98189 6c737882 GetFileType 98191 6c7378d4 98189->98191 98192 6c73788d GetLastError 98189->98192 98190 6c737857 GetLastError 98190->98188 98269 6c734ea0 SetStdHandle __dosmaperr __wsopen_s 98191->98269 98268 6c7230e2 __dosmaperr _free 98192->98268 98194 6c737805 98194->98189 98194->98190 98267 6c737b47 CreateFileW 98194->98267 98195 6c73789b CloseHandle 98195->98188 98210 6c7378c4 98195->98210 98198 6c73784a 98198->98189 98198->98190 98199 6c7378f5 98200 6c737941 98199->98200 98270 6c737d56 70 API calls 2 library calls 98199->98270 98204 6c737948 98200->98204 98284 6c737e00 70 API calls 2 library calls 98200->98284 98203 6c737976 98203->98204 98205 6c737984 98203->98205 98271 6c72f015 98204->98271 98205->98188 98207 6c737a00 CloseHandle 98205->98207 98285 6c737b47 CreateFileW 98207->98285 98209 6c737a2b 98209->98210 98211 6c737a35 GetLastError 98209->98211 98210->98188 98212 6c737a41 __dosmaperr 98211->98212 98286 6c734e0f SetStdHandle __dosmaperr __wsopen_s 98212->98286 98214->98170 98216 6c71f3fb 98215->98216 98222 6c71f3f2 98215->98222 98217 6c7280a2 __Getctype 37 API calls 98216->98217 98216->98222 98218 6c71f41b 98217->98218 98219 6c728618 __Getctype 37 API calls 98218->98219 98220 6c71f431 98219->98220 98221 6c728645 __cftoe 37 API calls 98220->98221 98221->98222 98222->98177 98223 6c72a0c5 5 API calls std::_Lockit::_Lockit 98222->98223 98223->98177 98225 6c71f566 98224->98225 98226 6c71f54c 98224->98226 98228 6c71f58c 98225->98228 98230 6c71f56d 98225->98230 98227 6c71f4cc __wsopen_s HeapFree GetLastError 98226->98227 98234 6c71f556 __dosmaperr 98227->98234 98229 6c727f33 __fassign MultiByteToWideChar 98228->98229 98231 6c71f59b 98229->98231 98232 6c71f48d __wsopen_s HeapFree GetLastError 98230->98232 98230->98234 98233 6c71f5a2 GetLastError 98231->98233 98235 6c71f5c8 98231->98235 98236 6c71f48d __wsopen_s HeapFree GetLastError 98231->98236 98232->98234 98233->98234 98234->98181 98235->98234 98237 6c727f33 __fassign MultiByteToWideChar 98235->98237 98236->98235 98238 6c71f5df 98237->98238 98238->98233 98238->98234 98240 6c737c17 98239->98240 98242 6c737bfd 98239->98242 98241 6c737b6c __wsopen_s 18 API calls 98240->98241 98244 6c737c4f 98241->98244 98242->98240 98243 6c723810 __cftoe 18 API calls 98242->98243 98243->98240 98245 6c737c7e 98244->98245 98248 6c723810 __cftoe 18 API calls 98244->98248 98246 6c739001 __wsopen_s 18 API calls 98245->98246 98251 6c737779 98245->98251 98247 6c737ccc 98246->98247 98249 6c737d49 98247->98249 98247->98251 98248->98245 98250 6c72383d __Getctype 11 API calls 98249->98250 98252 6c737d55 98250->98252 98251->98188 98253 6c734cfc 98251->98253 98254 6c734d08 __wsopen_s 98253->98254 98255 6c723a8f std::_Lockit::_Lockit EnterCriticalSection 98254->98255 98258 6c734d0f 98255->98258 98256 6c734d56 98259 6c734e06 __wsopen_s LeaveCriticalSection 98256->98259 98257 6c734d34 98260 6c734f32 __wsopen_s 11 API calls 98257->98260 98258->98256 98258->98257 98263 6c734da3 EnterCriticalSection 98258->98263 98261 6c734d76 98259->98261 98262 6c734d39 98260->98262 98261->98188 98266 6c737b47 CreateFileW 98261->98266 98262->98256 98265 6c735080 __wsopen_s EnterCriticalSection 98262->98265 98263->98256 98264 6c734db0 LeaveCriticalSection 98263->98264 98264->98258 98265->98256 98266->98194 98267->98198 98268->98195 98269->98199 98270->98200 98272 6c734c92 __wsopen_s 18 API calls 98271->98272 98275 6c72f025 98272->98275 98273 6c72f02b 98274 6c734e0f __wsopen_s SetStdHandle 98273->98274 98280 6c72f083 __dosmaperr 98274->98280 98275->98273 98277 6c734c92 __wsopen_s 18 API calls 98275->98277 98283 6c72f05d 98275->98283 98276 6c734c92 __wsopen_s 18 API calls 98279 6c72f069 CloseHandle 98276->98279 98278 6c72f054 98277->98278 98281 6c734c92 __wsopen_s 18 API calls 98278->98281 98279->98273 98282 6c72f075 GetLastError 98279->98282 98280->98188 98281->98283 98282->98273 98283->98273 98283->98276 98284->98203 98285->98209 98286->98210 98287->98086 98289 6c724299 98288->98289 98290 6c7242ae 98288->98290 98326 6c723810 18 API calls __cftoe 98289->98326 98293 6c7242a9 98290->98293 98304 6c7243a9 98290->98304 98293->98090 98298 6c7242d1 98319 6c72ef88 98298->98319 98300 6c7242d7 98300->98293 98327 6c727eab HeapFree GetLastError _free 98300->98327 98302->98088 98303->98088 98305 6c7243c1 98304->98305 98309 6c7242c3 98304->98309 98306 6c72d350 18 API calls 98305->98306 98305->98309 98307 6c7243df 98306->98307 98328 6c72f25c 98307->98328 98310 6c72be2e 98309->98310 98311 6c7242cb 98310->98311 98312 6c72be45 98310->98312 98314 6c72d350 98311->98314 98312->98311 98412 6c727eab HeapFree GetLastError _free 98312->98412 98315 6c72d371 98314->98315 98316 6c72d35c 98314->98316 98315->98298 98413 6c723810 18 API calls __cftoe 98316->98413 98318 6c72d36c 98318->98298 98320 6c72efae 98319->98320 98324 6c72ef99 __dosmaperr 98319->98324 98321 6c72efd5 98320->98321 98322 6c72eff7 __dosmaperr 98320->98322 98414 6c72f0b1 98321->98414 98422 6c723810 18 API calls __cftoe 98322->98422 98324->98300 98326->98293 98327->98293 98329 6c72f268 __wsopen_s 98328->98329 98330 6c72f2ba 98329->98330 98332 6c72f270 __dosmaperr 98329->98332 98333 6c72f323 __dosmaperr 98329->98333 98339 6c735080 EnterCriticalSection 98330->98339 98332->98309 98369 6c723810 18 API calls __cftoe 98333->98369 98334 6c72f2c0 98337 6c72f2dc __dosmaperr 98334->98337 98340 6c72f34e 98334->98340 98368 6c72f31b LeaveCriticalSection __wsopen_s 98337->98368 98339->98334 98341 6c72f370 98340->98341 98367 6c72f38c __dosmaperr 98340->98367 98342 6c72f3c4 98341->98342 98343 6c72f374 __dosmaperr 98341->98343 98348 6c72f3d7 98342->98348 98378 6c72e359 20 API calls __wsopen_s 98342->98378 98377 6c723810 18 API calls __cftoe 98343->98377 98370 6c72f530 98348->98370 98349 6c72f42c 98353 6c72f440 98349->98353 98354 6c72f485 WriteFile 98349->98354 98350 6c72f3ed 98351 6c72f3f1 98350->98351 98352 6c72f416 98350->98352 98351->98367 98379 6c72f94b 6 API calls __wsopen_s 98351->98379 98380 6c72f5a1 43 API calls 5 library calls 98352->98380 98357 6c72f475 98353->98357 98358 6c72f44b 98353->98358 98356 6c72f4a9 GetLastError 98354->98356 98354->98367 98356->98367 98383 6c72f9b3 7 API calls 2 library calls 98357->98383 98361 6c72f450 98358->98361 98362 6c72f465 98358->98362 98365 6c72f455 98361->98365 98361->98367 98382 6c72fb77 8 API calls 3 library calls 98362->98382 98364 6c72f463 98364->98367 98381 6c72fa8e 7 API calls 2 library calls 98365->98381 98367->98337 98368->98332 98369->98332 98371 6c7350d5 __wsopen_s 18 API calls 98370->98371 98372 6c72f541 98371->98372 98373 6c72f3e8 98372->98373 98384 6c7280a2 GetLastError 98372->98384 98373->98349 98373->98350 98376 6c72f57e GetConsoleMode 98376->98373 98377->98367 98378->98348 98379->98367 98380->98367 98381->98364 98382->98364 98383->98364 98385 6c7280bf 98384->98385 98386 6c7280b9 98384->98386 98387 6c72a252 __Getctype 6 API calls 98385->98387 98390 6c7280c5 SetLastError 98385->98390 98388 6c72a213 __Getctype 6 API calls 98386->98388 98389 6c7280dd 98387->98389 98388->98385 98389->98390 98391 6c7280e1 98389->98391 98397 6c728153 98390->98397 98398 6c728159 98390->98398 98392 6c72a8d5 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 98391->98392 98394 6c7280ed 98392->98394 98395 6c7280f5 98394->98395 98396 6c72810c 98394->98396 98400 6c72a252 __Getctype 6 API calls 98395->98400 98399 6c72a252 __Getctype 6 API calls 98396->98399 98397->98373 98397->98376 98401 6c7241b9 __Getctype 35 API calls 98398->98401 98403 6c728118 98399->98403 98405 6c728103 98400->98405 98402 6c72815e 98401->98402 98404 6c72811c 98403->98404 98407 6c72812d 98403->98407 98406 6c72a252 __Getctype 6 API calls 98404->98406 98408 6c727eab _free HeapFree GetLastError 98405->98408 98406->98405 98410 6c727eab _free HeapFree GetLastError 98407->98410 98409 6c728109 98408->98409 98409->98390 98411 6c72813f 98410->98411 98411->98390 98412->98311 98413->98318 98415 6c72f0bd __wsopen_s 98414->98415 98423 6c735080 EnterCriticalSection 98415->98423 98417 6c72f0cb 98418 6c72f015 __wsopen_s 21 API calls 98417->98418 98419 6c72f0f8 98417->98419 98418->98419 98424 6c72f131 LeaveCriticalSection __wsopen_s 98419->98424 98421 6c72f11a 98421->98324 98422->98324 98423->98417 98424->98421 98425->97925 98426->97926 98427->97925 98428->97925 98429->97925 98431 6c5e022e 98430->98431 98432 6c5b70c4 98431->98432 98437 6c724ecb 98431->98437 98432->97937 98434->97939 98435->97941 98436->97943 98438 6c724ef6 98437->98438 98439 6c724ed9 98437->98439 98438->98431 98439->98438 98440 6c724ee6 98439->98440 98441 6c724efa 98439->98441 98453 6c723810 18 API calls __cftoe 98440->98453 98445 6c7250f2 98441->98445 98446 6c7250fe __wsopen_s 98445->98446 98454 6c71fc99 EnterCriticalSection 98446->98454 98448 6c72510c 98455 6c7250af 98448->98455 98452 6c724f2c 98452->98431 98453->98438 98454->98448 98463 6c72bc96 98455->98463 98461 6c7250e9 98462 6c725141 LeaveCriticalSection 98461->98462 98462->98452 98464 6c72d350 18 API calls 98463->98464 98465 6c72bca7 98464->98465 98466 6c7350d5 __wsopen_s 18 API calls 98465->98466 98468 6c72bcad __wsopen_s 98466->98468 98467 6c7250c3 98470 6c724f2e 98467->98470 98468->98467 98480 6c727eab HeapFree GetLastError _free 98468->98480 98472 6c724f40 98470->98472 98474 6c724f5e 98470->98474 98471 6c724f4e 98481 6c723810 18 API calls __cftoe 98471->98481 98472->98471 98472->98474 98477 6c724f76 _Yarn 98472->98477 98479 6c72bd49 62 API calls 98474->98479 98475 6c7243a9 62 API calls 98475->98477 98476 6c72d350 18 API calls 98476->98477 98477->98474 98477->98475 98477->98476 98478 6c72f25c __wsopen_s 62 API calls 98477->98478 98478->98477 98479->98461 98480->98467 98481->98474 98483 6c719715 98482->98483 98484 6c5e2020 52 API calls 98483->98484 98485 6c7197b6 98484->98485 98486 6c71a133 std::_Facet_Register 4 API calls 98485->98486 98487 6c7197ee 98486->98487 98488 6c71aa17 43 API calls 98487->98488 98489 6c719802 98488->98489 98490 6c5e1d90 89 API calls 98489->98490 98491 6c7198ab 98490->98491 98492 6c7198dc 98491->98492 98536 6c5e2250 30 API calls 98491->98536 98492->97954 98494 6c719916 98537 6c5e26e0 24 API calls 4 library calls 98494->98537 98496 6c719928 98538 6c71ca69 RaiseException 98496->98538 98498 6c71993d 98539 6c5de010 67 API calls 98498->98539 98500 6c71994f 98500->97954 98502 6c719a7d 98501->98502 98540 6c719c90 98502->98540 98504 6c719b6c 98504->97962 98505 6c719a95 98505->98504 98558 6c5e2250 30 API calls 98505->98558 98559 6c5e26e0 24 API calls 4 library calls 98505->98559 98560 6c71ca69 RaiseException 98505->98560 98510 6c5f304f 98509->98510 98513 6c5f3063 98510->98513 98569 6c5e3560 32 API calls std::_Xinvalid_argument 98510->98569 98515 6c5f311e 98513->98515 98571 6c5e2250 30 API calls 98513->98571 98572 6c5e26e0 24 API calls 4 library calls 98513->98572 98573 6c71ca69 RaiseException 98513->98573 98516 6c5f3131 98515->98516 98570 6c5e37e0 32 API calls std::_Xinvalid_argument 98515->98570 98516->97962 98520 6c71928e 98519->98520 98524 6c7192c1 98519->98524 98521 6c5e01f0 64 API calls 98520->98521 98523 6c7192b4 98521->98523 98522 6c719373 98522->97966 98526 6c724208 67 API calls 98523->98526 98524->98522 98574 6c5e2250 30 API calls 98524->98574 98526->98524 98527 6c71939e 98575 6c5e2340 24 API calls 98527->98575 98529 6c7193ae 98576 6c71ca69 RaiseException 98529->98576 98531 6c7193b9 98577 6c5de010 67 API calls 98531->98577 98533 6c719412 std::ios_base::_Ios_base_dtor 98533->97966 98534->97958 98535->97963 98536->98494 98537->98496 98538->98498 98539->98500 98541 6c719cf8 98540->98541 98542 6c719ccc 98540->98542 98547 6c719d09 98541->98547 98561 6c5e3560 32 API calls std::_Xinvalid_argument 98541->98561 98557 6c719cf1 98542->98557 98563 6c5e2250 30 API calls 98542->98563 98545 6c719ed8 98564 6c5e2340 24 API calls 98545->98564 98547->98557 98562 6c5e2f60 42 API calls 4 library calls 98547->98562 98548 6c719ee7 98565 6c71ca69 RaiseException 98548->98565 98551 6c719d43 98551->98557 98566 6c5e2250 30 API calls 98551->98566 98553 6c719f17 98567 6c5e2340 24 API calls 98553->98567 98555 6c719f2d 98568 6c71ca69 RaiseException 98555->98568 98557->98505 98558->98505 98559->98505 98560->98505 98561->98547 98562->98551 98563->98545 98564->98548 98565->98551 98566->98553 98567->98555 98568->98557 98569->98513 98570->98516 98571->98513 98572->98513 98573->98513 98574->98527 98575->98529 98576->98531 98577->98533 98578 6c593d62 98580 6c593bc0 98578->98580 98579 6c593e8a GetCurrentThread NtSetInformationThread 98581 6c593eea 98579->98581 98580->98579 98582 6c72262f 98583 6c72263b __wsopen_s 98582->98583 98584 6c722642 GetLastError ExitThread 98583->98584 98585 6c72264f 98583->98585 98586 6c7280a2 __Getctype 37 API calls 98585->98586 98587 6c722654 98586->98587 98594 6c72d456 98587->98594 98590 6c72266b 98600 6c72259a 16 API calls 2 library calls 98590->98600 98593 6c72268d 98595 6c72d468 GetPEB 98594->98595 98597 6c72265f 98594->98597 98596 6c72d47b 98595->98596 98595->98597 98601 6c72a508 5 API calls std::_Lockit::_Lockit 98596->98601 98597->98590 98599 6c72a45f 5 API calls std::_Lockit::_Lockit 98597->98599 98599->98590 98600->98593 98601->98597

                                      Executed Functions

                                      Function 6C594754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: _strlen
                                      • String ID: HR^
                                      • API String ID: 4218353326-1341859651
                                      • Opcode ID: 0118bab50283aa7080cff5c4545287769c29c358eba05095b5ba64f0513d3927
                                      • Instruction ID: 42f4c58e76dbedc623a05f8aacb9e97e3f1f4a84a794f93be236b8cd0f09e790
                                      • Opcode Fuzzy Hash: 0118bab50283aa7080cff5c4545287769c29c358eba05095b5ba64f0513d3927
                                      • Instruction Fuzzy Hash: 8C741631644B428FC728CF29CCD0695B7F3FF95318B198A6DC09A8BA55EB74B54ACB40
                                      Function 6C718930 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 4604 6c718930-6c718964 CreateToolhelp32Snapshot 4605 6c718980-6c718989 4604->4605 4606 6c7189d0-6c7189d5 4605->4606 4607 6c71898b-6c718990 4605->4607 4608 6c718a34-6c718a62 call 6c71f010 Process32FirstW 4606->4608 4609 6c7189d7-6c7189dc 4606->4609 4610 6c718992-6c718997 4607->4610 4611 6c718a0d-6c718a12 4607->4611 4621 6c718a76-6c718a86 4608->4621 4612 6c7189e2-6c7189e7 4609->4612 4613 6c718a64-6c718a71 Process32NextW 4609->4613 4617 6c718966-6c718973 4610->4617 4618 6c718999-6c71899e 4610->4618 4614 6c718a14-6c718a2f CloseHandle 4611->4614 4615 6c718a8b-6c718a90 4611->4615 4612->4605 4619 6c7189e9-6c718a08 4612->4619 4613->4621 4614->4605 4615->4605 4622 6c718a96-6c718aa4 4615->4622 4617->4605 4618->4605 4623 6c7189a0-6c7189ca call 6c7262f5 4618->4623 4619->4605 4621->4605 4623->4605
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C71893E
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: CreateSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 3332741929-0
                                      • Opcode ID: 4e5e1562a602fcc201cdbd3326e059f2eca0ef475cbabe9e8795799b3b927fe6
                                      • Instruction ID: e1d9aae454ffb4190197deba789da508cec1bb57f8e7f6299bb0599d2a2fb8d6
                                      • Opcode Fuzzy Hash: 4e5e1562a602fcc201cdbd3326e059f2eca0ef475cbabe9e8795799b3b927fe6
                                      • Instruction Fuzzy Hash: 8A318EB020D305AFD7119F19CA8974ABBE4AF8A708F19492EF488D6B60D731D844CB93
                                      Function 6C593886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 4877 6c593886-6c59388e 4878 6c593970-6c59397d 4877->4878 4879 6c593894-6c593896 4877->4879 4880 6c59397f-6c593989 4878->4880 4881 6c5939f1-6c5939f8 4878->4881 4879->4878 4882 6c59389c-6c5938b9 4879->4882 4880->4882 4883 6c59398f-6c593994 4880->4883 4884 6c5939fe-6c593a03 4881->4884 4885 6c593ab5-6c593aba 4881->4885 4886 6c5938c0-6c5938c1 4882->4886 4889 6c59399a-6c59399f 4883->4889 4890 6c593b16-6c593b18 4883->4890 4891 6c593a09-6c593a2f 4884->4891 4892 6c5938d2-6c5938d4 4884->4892 4885->4882 4888 6c593ac0-6c593ac7 4885->4888 4887 6c59395e 4886->4887 4894 6c593960-6c593964 4887->4894 4888->4886 4895 6c593acd-6c593ad6 4888->4895 4896 6c59383b-6c593855 call 6c6e2a20 call 6c6e2a30 4889->4896 4897 6c5939a5-6c5939bf 4889->4897 4890->4886 4898 6c5938f8-6c593955 4891->4898 4899 6c593a35-6c593a3a 4891->4899 4893 6c593957-6c59395c 4892->4893 4893->4887 4901 6c59396a 4894->4901 4902 6c593860-6c593885 4894->4902 4895->4890 4903 6c593ad8-6c593aeb 4895->4903 4896->4902 4904 6c593a5a-6c593a5d 4897->4904 4898->4893 4905 6c593b1d-6c593b22 4899->4905 4906 6c593a40-6c593a57 4899->4906 4909 6c593ba1-6c593bb6 4901->4909 4902->4877 4903->4898 4910 6c593af1-6c593af8 4903->4910 4907 6c593aa9-6c593ab0 4904->4907 4912 6c593b49-6c593b50 4905->4912 4913 6c593b24-6c593b44 4905->4913 4906->4904 4907->4894 4914 6c593bc0-6c593bda call 6c6e2a20 call 6c6e2a30 4909->4914 4916 6c593afa-6c593aff 4910->4916 4917 6c593b62-6c593b85 4910->4917 4912->4886 4920 6c593b56-6c593b5d 4912->4920 4913->4907 4928 6c593be0-6c593bfe 4914->4928 4916->4893 4917->4898 4924 6c593b8b 4917->4924 4920->4894 4924->4909 4931 6c593e7b 4928->4931 4932 6c593c04-6c593c11 4928->4932 4933 6c593e81-6c593ee0 call 6c593750 GetCurrentThread NtSetInformationThread 4931->4933 4934 6c593ce0-6c593cea 4932->4934 4935 6c593c17-6c593c20 4932->4935 4948 6c593eea-6c593f04 call 6c6e2a20 call 6c6e2a30 4933->4948 4937 6c593d3a-6c593d3c 4934->4937 4938 6c593cec-6c593d0c 4934->4938 4939 6c593dc5 4935->4939 4940 6c593c26-6c593c2d 4935->4940 4943 6c593d3e-6c593d45 4937->4943 4944 6c593d70-6c593d8d 4937->4944 4942 6c593d90-6c593d95 4938->4942 4945 6c593dc6 4939->4945 4946 6c593dc3 4940->4946 4947 6c593c33-6c593c3a 4940->4947 4950 6c593dba-6c593dc1 4942->4950 4951 6c593d97-6c593db8 4942->4951 4949 6c593d50-6c593d57 4943->4949 4944->4942 4952 6c593dc8-6c593dcc 4945->4952 4946->4939 4953 6c593c40-6c593c5b 4947->4953 4954 6c593e26-6c593e2b 4947->4954 4971 6c593f75-6c593fa1 4948->4971 4949->4945 4950->4946 4956 6c593dd7-6c593ddc 4950->4956 4951->4939 4952->4928 4957 6c593dd2 4952->4957 4958 6c593e1b-6c593e24 4953->4958 4959 6c593c7b-6c593cd0 4954->4959 4960 6c593e31 4954->4960 4963 6c593dde-6c593e17 4956->4963 4964 6c593e36-6c593e3d 4956->4964 4961 6c593e76-6c593e79 4957->4961 4958->4952 4958->4961 4959->4949 4960->4914 4961->4933 4963->4958 4965 6c593e5c-6c593e5f 4964->4965 4966 6c593e3f-6c593e5a 4964->4966 4965->4959 4969 6c593e65-6c593e69 4965->4969 4966->4958 4969->4952 4969->4961 4975 6c594020-6c594026 4971->4975 4976 6c593fa3-6c593fa8 4971->4976 4977 6c59402c-6c59403c 4975->4977 4978 6c593f06-6c593f35 4975->4978 4979 6c59407c-6c594081 4976->4979 4980 6c593fae-6c593fcf 4976->4980 4982 6c59403e-6c594058 4977->4982 4983 6c5940b3-6c5940b8 4977->4983 4981 6c593f38-6c593f61 4978->4981 4984 6c5940aa-6c5940ae 4979->4984 4985 6c594083-6c59408a 4979->4985 4980->4984 4988 6c593f64-6c593f67 4981->4988 4989 6c59405a-6c594063 4982->4989 4983->4980 4987 6c5940be-6c5940c9 4983->4987 4990 6c593f6b-6c593f6f 4984->4990 4985->4981 4986 6c594090 4985->4986 4986->4948 4991 6c5940a7 4986->4991 4987->4984 4992 6c5940cb-6c5940d4 4987->4992 4993 6c593f69 4988->4993 4994 6c594069-6c59406c 4989->4994 4995 6c5940f5-6c59413f 4989->4995 4990->4971 4991->4984 4992->4991 4996 6c5940d6-6c5940f0 4992->4996 4993->4990 4998 6c594072-6c594077 4994->4998 4999 6c594144-6c59414b 4994->4999 4995->4993 4996->4989 4998->4988 4999->4990
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ce4cef9c13836b464f5f30375a9ca4255f9c9911dda17c0b8c3276517216a67f
                                      • Instruction ID: 6c896f7adc1f30111de266684c780ad8942806f325680ef10528b111ae8957a9
                                      • Opcode Fuzzy Hash: ce4cef9c13836b464f5f30375a9ca4255f9c9911dda17c0b8c3276517216a67f
                                      • Instruction Fuzzy Hash: D732E332245B81CFC324CF28C8D0696B7E3EFD53147698AADC0EA4BA95D775B44ACB50
                                      Function 6C593A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: CurrentThread
                                      • String ID:
                                      • API String ID: 2882836952-0
                                      • Opcode ID: fc9c2074592c178508a6847071354cd04588ec92c3479f09023fb0417a82adc6
                                      • Instruction ID: 24ec4f1b40b2aa6fbf0445b31d41eb01e4d381cec0110b5b810065f8d2c94688
                                      • Opcode Fuzzy Hash: fc9c2074592c178508a6847071354cd04588ec92c3479f09023fb0417a82adc6
                                      • Instruction Fuzzy Hash: C051C132159B81CFC320CF28C884785B7E3BF96314F698E9DC0EA5BA95DB75744A8B41
                                      Function 6C5939CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: CurrentThread
                                      • String ID:
                                      • API String ID: 2882836952-0
                                      • Opcode ID: d489e1f62a72cc74c24879b8acd45851b51b3a829c2f2ae3139c79eeb20d865d
                                      • Instruction ID: 0cd098c2231cf556738a44038c8660f97e41fcffc49031d1763d1ec8ff27b047
                                      • Opcode Fuzzy Hash: d489e1f62a72cc74c24879b8acd45851b51b3a829c2f2ae3139c79eeb20d865d
                                      • Instruction Fuzzy Hash: 1551C331114B81CFC320CF28C880795B7E3BF96314F698E9DC0EA5BA95DB75B44A8B91
                                      Function 6C593D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThread.KERNEL32 ref: 6C593E9D
                                      • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C593EAA
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: Thread$CurrentInformation
                                      • String ID:
                                      • API String ID: 1650627709-0
                                      • Opcode ID: 89ebef2954562f048dbbf714fabc0f8202deb9d262a808331ffba1df4f3d9538
                                      • Instruction ID: a0be3839c05a684093061a76e5db31649fd706491a4e16a81c00827a12117c3f
                                      • Opcode Fuzzy Hash: 89ebef2954562f048dbbf714fabc0f8202deb9d262a808331ffba1df4f3d9538
                                      • Instruction Fuzzy Hash: FB31E131159B81CBC320CF28CC947C6B7A3AF96318F194E9DC0AA5BA91DB7874099B51
                                      Function 6C593D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThread.KERNEL32 ref: 6C593E9D
                                      • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C593EAA
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: Thread$CurrentInformation
                                      • String ID:
                                      • API String ID: 1650627709-0
                                      • Opcode ID: 4160f29feebaeb211bea579581c6bea19746844ab8564e23730433f0f895cd97
                                      • Instruction ID: ca66e071931f44a4fad0aed7dcc91e42dfc7708dff2429c8bbac567b6dfbf930
                                      • Opcode Fuzzy Hash: 4160f29feebaeb211bea579581c6bea19746844ab8564e23730433f0f895cd97
                                      • Instruction Fuzzy Hash: 0E310F31108B81CBC330CF28C894796B7B7AF96308F294E9DC0AA4BA91DB757409CB81
                                      Function 6C593C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThread.KERNEL32 ref: 6C593E9D
                                      • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C593EAA
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: Thread$CurrentInformation
                                      • String ID:
                                      • API String ID: 1650627709-0
                                      • Opcode ID: ce36c7895e4084f4aebaf35741873f0c0fd6ff3de6f2c6ce04e4eaaebc0157fe
                                      • Instruction ID: 7511586e7f0f182eba7cb93b725d3cadad752eeebf009017e65c234fca3752a3
                                      • Opcode Fuzzy Hash: ce36c7895e4084f4aebaf35741873f0c0fd6ff3de6f2c6ce04e4eaaebc0157fe
                                      • Instruction Fuzzy Hash: 2F21D171118B82CBD324CF24CC9479677B6AF56308F184EADC0BA8BA90DB7474089B91
                                      Function 6C718810 Relevance: 3.1, APIs: 2, Instructions: 72serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C718820
                                      • OpenServiceA.ADVAPI32(?,?,00000004), ref: 6C7188C5
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: Open$ManagerService
                                      • String ID:
                                      • API String ID: 2351955762-0
                                      • Opcode ID: 89f2bd0e14c7f959916d5430b5ec65b0e23814d54032827559999985fef01b75
                                      • Instruction ID: e51cd239aa3644cb479fddfec302bb7bb80c12dfc67e64bcb025feb40a0c77c6
                                      • Opcode Fuzzy Hash: 89f2bd0e14c7f959916d5430b5ec65b0e23814d54032827559999985fef01b75
                                      • Instruction Fuzzy Hash: A131167461C302AFC7108F29C949A0EBBF0AB89354F58886EF488D7761D271C8898B63
                                      Function 6C70E090 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(?,?), ref: 6C70E0AC
                                      • FindClose.KERNEL32(000000FF), ref: 6C70E0E2
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: Find$CloseFileFirst
                                      • String ID:
                                      • API String ID: 2295610775-0
                                      • Opcode ID: 02ea8015e23ea681fb5cf017f1fce8f0653fd8997f45ebdef5a4fff06e9dced6
                                      • Instruction ID: faffa0d02ea3165d2670cf89b1dc283cefe29ac7678e8d5455723c6deb280077
                                      • Opcode Fuzzy Hash: 02ea8015e23ea681fb5cf017f1fce8f0653fd8997f45ebdef5a4fff06e9dced6
                                      • Instruction Fuzzy Hash: A5113DB460C355DFC7108F28CA8454ABBF4AB86314F244D5AF4E8C7791D734D888CB92
                                      Function 6C7301C3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 3722 6c7301c3-6c7301d3 3723 6c7301d5-6c7301e8 call 6c7230cf call 6c7230bc 3722->3723 3724 6c7301ed-6c7301ef 3722->3724 3738 6c73056c 3723->3738 3725 6c7301f5-6c7301fb 3724->3725 3726 6c730554-6c730561 call 6c7230cf call 6c7230bc 3724->3726 3725->3726 3730 6c730201-6c730227 3725->3730 3744 6c730567 call 6c723810 3726->3744 3730->3726 3733 6c73022d-6c730236 3730->3733 3736 6c730250-6c730252 3733->3736 3737 6c730238-6c73024b call 6c7230cf call 6c7230bc 3733->3737 3741 6c730550-6c730552 3736->3741 3742 6c730258-6c73025b 3736->3742 3737->3744 3743 6c73056f-6c730572 3738->3743 3741->3743 3742->3741 3746 6c730261-6c730265 3742->3746 3744->3738 3746->3737 3749 6c730267-6c73027e 3746->3749 3750 6c730280-6c730283 3749->3750 3751 6c7302cf-6c7302d5 3749->3751 3753 6c730293-6c730299 3750->3753 3754 6c730285-6c73028e 3750->3754 3755 6c7302d7-6c7302e1 3751->3755 3756 6c73029b-6c7302b2 call 6c7230cf call 6c7230bc call 6c723810 3751->3756 3753->3756 3758 6c7302b7-6c7302ca 3753->3758 3757 6c730353-6c730363 3754->3757 3760 6c7302e3-6c7302e5 3755->3760 3761 6c7302e8-6c730306 call 6c727ee5 call 6c727eab * 2 3755->3761 3788 6c730487 3756->3788 3763 6c730369-6c730375 3757->3763 3764 6c730428-6c730431 call 6c7350d5 3757->3764 3758->3757 3760->3761 3792 6c730323-6c73034c call 6c72e359 3761->3792 3793 6c730308-6c73031e call 6c7230bc call 6c7230cf 3761->3793 3763->3764 3769 6c73037b-6c73037d 3763->3769 3777 6c730433-6c730445 3764->3777 3778 6c7304a4 3764->3778 3769->3764 3770 6c730383-6c7303a7 3769->3770 3770->3764 3774 6c7303a9-6c7303bf 3770->3774 3774->3764 3779 6c7303c1-6c7303c3 3774->3779 3777->3778 3783 6c730447-6c730456 GetConsoleMode 3777->3783 3781 6c7304a8-6c7304c0 ReadFile 3778->3781 3779->3764 3784 6c7303c5-6c7303eb 3779->3784 3786 6c7304c2-6c7304c8 3781->3786 3787 6c73051c-6c730527 GetLastError 3781->3787 3783->3778 3789 6c730458-6c73045c 3783->3789 3784->3764 3791 6c7303ed-6c730403 3784->3791 3786->3787 3796 6c7304ca 3786->3796 3794 6c730540-6c730543 3787->3794 3795 6c730529-6c73053b call 6c7230bc call 6c7230cf 3787->3795 3790 6c73048a-6c730494 call 6c727eab 3788->3790 3789->3781 3797 6c73045e-6c730478 ReadConsoleW 3789->3797 3790->3743 3791->3764 3799 6c730405-6c730407 3791->3799 3792->3757 3793->3788 3806 6c730480-6c730486 call 6c7230e2 3794->3806 3807 6c730549-6c73054b 3794->3807 3795->3788 3803 6c7304cd-6c7304df 3796->3803 3804 6c73047a GetLastError 3797->3804 3805 6c730499-6c7304a2 3797->3805 3799->3764 3810 6c730409-6c730423 3799->3810 3803->3790 3814 6c7304e1-6c7304e5 3803->3814 3804->3806 3805->3803 3806->3788 3807->3790 3810->3764 3818 6c7304e7-6c7304f7 call 6c7305ee 3814->3818 3819 6c7304fe-6c730509 3814->3819 3828 6c7304fa-6c7304fc 3818->3828 3820 6c730515-6c73051a call 6c7308a6 3819->3820 3821 6c73050b call 6c730573 3819->3821 3829 6c730510-6c730513 3820->3829 3821->3829 3828->3790 3829->3828
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 8Q
                                      • API String ID: 0-4022487301
                                      • Opcode ID: 3a94004d539a9d471887880b63c0dcd66a20231497dedef911c46f741d25f73b
                                      • Instruction ID: 5035060ab1fc154d4d6566ea7f197ff6a6f7e8158edfe338b25314c7bc9e3240
                                      • Opcode Fuzzy Hash: 3a94004d539a9d471887880b63c0dcd66a20231497dedef911c46f741d25f73b
                                      • Instruction Fuzzy Hash: CBC14C70E042999FDF01CFA8CA84BADBBB5BF4A318F145169E428A7B43C7358945CB71
                                      Function 6C73775C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 3831 6c73775c-6c73778c call 6c737bdc 3834 6c7377a7-6c7377b3 call 6c734cfc 3831->3834 3835 6c73778e-6c737799 call 6c7230cf 3831->3835 3841 6c7377b5-6c7377ca call 6c7230cf call 6c7230bc 3834->3841 3842 6c7377cc-6c737815 call 6c737b47 3834->3842 3840 6c73779b-6c7377a2 call 6c7230bc 3835->3840 3852 6c737a81-6c737a85 3840->3852 3841->3840 3850 6c737882-6c73788b GetFileType 3842->3850 3851 6c737817-6c737820 3842->3851 3856 6c7378d4-6c7378d7 3850->3856 3857 6c73788d-6c7378be GetLastError call 6c7230e2 CloseHandle 3850->3857 3854 6c737822-6c737826 3851->3854 3855 6c737857-6c73787d GetLastError call 6c7230e2 3851->3855 3854->3855 3861 6c737828-6c737855 call 6c737b47 3854->3861 3855->3840 3859 6c7378e0-6c7378e6 3856->3859 3860 6c7378d9-6c7378de 3856->3860 3857->3840 3868 6c7378c4-6c7378cf call 6c7230bc 3857->3868 3864 6c7378ea-6c737938 call 6c734ea0 3859->3864 3866 6c7378e8 3859->3866 3860->3864 3861->3850 3861->3855 3874 6c737957-6c73797f call 6c737e00 3864->3874 3875 6c73793a-6c737946 call 6c737d56 3864->3875 3866->3864 3868->3840 3880 6c737981-6c737982 3874->3880 3881 6c737984-6c7379c5 3874->3881 3875->3874 3882 6c737948 3875->3882 3883 6c73794a-6c737952 call 6c72f015 3880->3883 3884 6c7379c7-6c7379cb 3881->3884 3885 6c7379e6-6c7379f4 3881->3885 3882->3883 3883->3852 3884->3885 3887 6c7379cd-6c7379e1 3884->3887 3888 6c7379fa-6c7379fe 3885->3888 3889 6c737a7f 3885->3889 3887->3885 3888->3889 3891 6c737a00-6c737a33 CloseHandle call 6c737b47 3888->3891 3889->3852 3894 6c737a67-6c737a7b 3891->3894 3895 6c737a35-6c737a61 GetLastError call 6c7230e2 call 6c734e0f 3891->3895 3894->3889 3895->3894
                                      APIs
                                        • Part of subcall function 6C737B47: CreateFileW.KERNEL32(00000000,00000000,?,6C737805,?,?,00000000,?,6C737805,00000000,0000000C), ref: 6C737B64
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C737870
                                      • __dosmaperr.LIBCMT ref: 6C737877
                                      • GetFileType.KERNEL32(00000000), ref: 6C737883
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C73788D
                                      • __dosmaperr.LIBCMT ref: 6C737896
                                      • CloseHandle.KERNEL32(00000000), ref: 6C7378B6
                                      • CloseHandle.KERNEL32(6C72E7C0), ref: 6C737A03
                                      • GetLastError.KERNEL32 ref: 6C737A35
                                      • __dosmaperr.LIBCMT ref: 6C737A3C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                      • String ID: 8Q
                                      • API String ID: 4237864984-4022487301
                                      • Opcode ID: 20bc9e5cc6acc88382094c024a0a3463b136f2cf53f332a378445847a1e3ed76
                                      • Instruction ID: dd619506e078ffb126a65ac8aeb9b033083603d3b37b27e3fb8ccef80eef2d74
                                      • Opcode Fuzzy Hash: 20bc9e5cc6acc88382094c024a0a3463b136f2cf53f332a378445847a1e3ed76
                                      • Instruction Fuzzy Hash: 16A16A32A04165CFCF199F38CA55BDD7BB1AB07328F18515DE818AF791C7358906C751
                                      Function 6C6EB4D0 Relevance: 16.6, APIs: 3, Strings: 6, Instructions: 834fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteFile.KERNEL32(?,?,00000038,?,00000000), ref: 6C6EB62F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: FileWrite
                                      • String ID: *$,=ym$-=ym$-=ym$B$H
                                      • API String ID: 3934441357-3163594065
                                      • Opcode ID: b028867cc8129218ed8be2759ed13858c1374832d782640ff07f0ebbefe84ec4
                                      • Instruction ID: 6b5d58643e0d71de3c61b05cd448e623a8bcf13773675b7d1305f52c5ad8be2d
                                      • Opcode Fuzzy Hash: b028867cc8129218ed8be2759ed13858c1374832d782640ff07f0ebbefe84ec4
                                      • Instruction Fuzzy Hash: A672477460E3469FCB14CF28D49069ABBE1ABC9304F188E1EE499CBB50E774D845CB5B
                                      Function 6C594200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ;T55
                                      • API String ID: 0-2572755013
                                      • Opcode ID: 05c6dcc293f6e917af416b150d36da13a0d754e2e676069982fbbfef61f0479b
                                      • Instruction ID: 67ca9a3988a27d96449c4a0c8d458601a882826b0aba5833411452b832a2ee4f
                                      • Opcode Fuzzy Hash: 05c6dcc293f6e917af416b150d36da13a0d754e2e676069982fbbfef61f0479b
                                      • Instruction Fuzzy Hash: 83030231645B018FC728CF29CCD069AB7E3AFD53247198B6DC0AA4BA95DB74B44BCB50
                                      Function 6C7186E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processsynchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 4469 6c7186e0-6c718767 CreateProcessA 4470 6c71878b-6c718794 4469->4470 4471 6c7187b0-6c7187fa WaitForSingleObject CloseHandle * 2 4470->4471 4472 6c718796-6c71879b 4470->4472 4471->4470 4473 6c718770-6c718783 4472->4473 4474 6c71879d-6c7187a2 4472->4474 4473->4470 4474->4470 4475 6c7187a4-6c718807 4474->4475
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: CloseHandle$CreateObjectProcessSingleWait
                                      • String ID: D
                                      • API String ID: 2059082233-2746444292
                                      • Opcode ID: af55d2c5cf964e6b6a369ecdfeb682db4fb600c9ddd9cc8ac3646c47f01def14
                                      • Instruction ID: 64a6b95b31f964fc79db64be034f0492c2d8b8f8e5da71bc5add039a9e9c92da
                                      • Opcode Fuzzy Hash: af55d2c5cf964e6b6a369ecdfeb682db4fb600c9ddd9cc8ac3646c47f01def14
                                      • Instruction Fuzzy Hash: E731F27180D3808FD750DF68C28475ABBF0AB99318F555A2EF8D986760D7749584CF83
                                      Function 6C72F34E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 4477 6c72f34e-6c72f36a 4478 6c72f370-6c72f372 4477->4478 4479 6c72f529 4477->4479 4480 6c72f394-6c72f3b5 4478->4480 4481 6c72f374-6c72f387 call 6c7230cf call 6c7230bc call 6c723810 4478->4481 4482 6c72f52b-6c72f52f 4479->4482 4484 6c72f3b7-6c72f3ba 4480->4484 4485 6c72f3bc-6c72f3c2 4480->4485 4499 6c72f38c-6c72f38f 4481->4499 4484->4485 4487 6c72f3c4-6c72f3c9 4484->4487 4485->4481 4485->4487 4489 6c72f3da-6c72f3eb call 6c72f530 4487->4489 4490 6c72f3cb-6c72f3d7 call 6c72e359 4487->4490 4497 6c72f42c-6c72f43e 4489->4497 4498 6c72f3ed-6c72f3ef 4489->4498 4490->4489 4502 6c72f440-6c72f449 4497->4502 4503 6c72f485-6c72f4a7 WriteFile 4497->4503 4500 6c72f3f1-6c72f3f9 4498->4500 4501 6c72f416-6c72f422 call 6c72f5a1 4498->4501 4499->4482 4504 6c72f4bb-6c72f4be 4500->4504 4505 6c72f3ff-6c72f40c call 6c72f94b 4500->4505 4513 6c72f427-6c72f42a 4501->4513 4509 6c72f475-6c72f483 call 6c72f9b3 4502->4509 4510 6c72f44b-6c72f44e 4502->4510 4507 6c72f4b2 4503->4507 4508 6c72f4a9-6c72f4af GetLastError 4503->4508 4517 6c72f4c1-6c72f4c6 4504->4517 4521 6c72f40f-6c72f411 4505->4521 4514 6c72f4b5-6c72f4ba 4507->4514 4508->4507 4509->4513 4515 6c72f450-6c72f453 4510->4515 4516 6c72f465-6c72f473 call 6c72fb77 4510->4516 4513->4521 4514->4504 4515->4517 4524 6c72f455-6c72f463 call 6c72fa8e 4515->4524 4516->4513 4522 6c72f524-6c72f527 4517->4522 4523 6c72f4c8-6c72f4cd 4517->4523 4521->4514 4522->4482 4527 6c72f4f9-6c72f505 4523->4527 4528 6c72f4cf-6c72f4d4 4523->4528 4524->4513 4530 6c72f507-6c72f50a 4527->4530 4531 6c72f50c-6c72f51f call 6c7230bc call 6c7230cf 4527->4531 4532 6c72f4d6-6c72f4e8 call 6c7230bc call 6c7230cf 4528->4532 4533 6c72f4ed-6c72f4f4 call 6c7230e2 4528->4533 4530->4479 4530->4531 4531->4499 4532->4499 4533->4499
                                      APIs
                                        • Part of subcall function 6C72F5A1: GetConsoleCP.KERNEL32(?,6C72E7C0,?), ref: 6C72F5E9
                                      • WriteFile.KERNEL32(?,?,6C737DDC,00000000,00000000,?,00000000,00000000,6C7391A6,00000000,00000000,?,00000000,6C72E7C0,6C737DDC,00000000), ref: 6C72F49F
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C737DDC,6C72E7C0,00000000,?,?,?,?,00000000,?), ref: 6C72F4A9
                                      • __dosmaperr.LIBCMT ref: 6C72F4EE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                      • String ID: 8Q
                                      • API String ID: 251514795-4022487301
                                      • Opcode ID: bf757bb5e6d29127315ed0e9331cb08f6f60cc7792a37ed27c89167e1b3f08cf
                                      • Instruction ID: 09568060e1b8060454599ec3dc859ff918a095c5db4db5c0873c0cb88d973a89
                                      • Opcode Fuzzy Hash: bf757bb5e6d29127315ed0e9331cb08f6f60cc7792a37ed27c89167e1b3f08cf
                                      • Instruction Fuzzy Hash: E151E971E0022AAFDB10DFA4CE48BDEBBB9EF09318F140565D510ABA41D77CD945C761
                                      Function 6C719280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 4544 6c719280-6c71928c 4545 6c7192cd 4544->4545 4546 6c71928e-6c719299 4544->4546 4549 6c7192cf-6c719347 4545->4549 4547 6c71929b-6c7192ad 4546->4547 4548 6c7192af-6c7192bc call 6c5e01f0 call 6c724208 4546->4548 4547->4548 4558 6c7192c1-6c7192cb 4548->4558 4551 6c719373-6c719379 4549->4551 4552 6c719349-6c719371 4549->4552 4552->4551 4554 6c71937a-6c719439 call 6c5e2250 call 6c5e2340 call 6c71ca69 call 6c5de010 call 6c71a778 4552->4554 4558->4549
                                      APIs
                                      • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C719421
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: Ios_base_dtorstd::ios_base::_
                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                      • API String ID: 323602529-1866435925
                                      • Opcode ID: 48606918c7686eb5a40da82767738e05224c67cd169084286517a40533ff5faf
                                      • Instruction ID: a876c5699d0096575eeccebdfa97bb38e0e609338ee80a924667f5c8a71b9196
                                      • Opcode Fuzzy Hash: 48606918c7686eb5a40da82767738e05224c67cd169084286517a40533ff5faf
                                      • Instruction Fuzzy Hash: 9C5143B1500B008FD725CF29C985B97BBF1BB89318F448A2DD8864BF90D775B90ACB90
                                      Function 6C6ECEA0 Relevance: 6.2, APIs: 4, Instructions: 187fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 4567 6c6ecea0-6c6ecf03 call 6c71a260 4570 6c6ecf40-6c6ecf49 4567->4570 4571 6c6ecf4b-6c6ecf50 4570->4571 4572 6c6ecf90-6c6ecf95 4570->4572 4573 6c6ecf56-6c6ecf5b 4571->4573 4574 6c6ed000-6c6ed005 4571->4574 4575 6c6ecf9b-6c6ecfa0 4572->4575 4576 6c6ed030-6c6ed035 4572->4576 4579 6c6ed065-6c6ed08c 4573->4579 4580 6c6ecf61-6c6ecf66 4573->4580 4583 6c6ed00b-6c6ed010 4574->4583 4584 6c6ed125-6c6ed158 call 6c71ea90 4574->4584 4581 6c6ecfa6-6c6ecfab 4575->4581 4582 6c6ecf05-6c6ecf21 WriteFile 4575->4582 4577 6c6ed17d-6c6ed191 4576->4577 4578 6c6ed03b-6c6ed040 4576->4578 4595 6c6ed195-6c6ed1a2 4577->4595 4587 6c6ed046-6c6ed060 4578->4587 4588 6c6ed1a7-6c6ed1ac 4578->4588 4591 6c6ecf33-6c6ecf38 4579->4591 4589 6c6ecf6c-6c6ecf71 4580->4589 4590 6c6ed091-6c6ed0aa WriteFile 4580->4590 4593 6c6ed0af-6c6ed120 WriteFile 4581->4593 4594 6c6ecfb1-6c6ecfb6 4581->4594 4596 6c6ecf30 4582->4596 4585 6c6ed15d-6c6ed175 4583->4585 4586 6c6ed016-6c6ed01b 4583->4586 4584->4570 4585->4577 4586->4570 4598 6c6ed021-6c6ed02b 4586->4598 4587->4595 4588->4570 4597 6c6ed1b2-6c6ed1c0 4588->4597 4589->4570 4599 6c6ecf73-6c6ecf86 4589->4599 4590->4596 4591->4570 4593->4596 4594->4570 4601 6c6ecfb8-6c6ecfee call 6c71f010 ReadFile 4594->4601 4595->4570 4596->4591 4598->4596 4599->4591 4601->4596
                                      APIs
                                      • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C6ECFE1
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: FileRead
                                      • String ID:
                                      • API String ID: 2738559852-0
                                      • Opcode ID: d174020b123d5c096835d41f4df5796c972392913b49281477de2a1a2ff22369
                                      • Instruction ID: 89892e56f82a82f34f548d25bf6e86f85f40cc97b81e30846b1267551fb80ffc
                                      • Opcode Fuzzy Hash: d174020b123d5c096835d41f4df5796c972392913b49281477de2a1a2ff22369
                                      • Instruction Fuzzy Hash: 94715AB020E345AFD710DF29C884B9ABBF4BF89708F50492EF495C7690E775D9848B86
                                      Function 6C6EC390 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 631COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 4626 6c6ec390-6c6ec406 call 6c71a260 call 6c71f010 4631 6c6ec426-6c6ec42f 4626->4631 4632 6c6ec490-6c6ec495 4631->4632 4633 6c6ec431-6c6ec436 4631->4633 4634 6c6ec49b-6c6ec4a0 4632->4634 4635 6c6ec570-6c6ec575 4632->4635 4636 6c6ec43c-6c6ec441 4633->4636 4637 6c6ec500-6c6ec505 4633->4637 4642 6c6ec638-6c6ec63d 4634->4642 4643 6c6ec4a6-6c6ec4ab 4634->4643 4644 6c6ec57b-6c6ec580 4635->4644 4645 6c6ec6d6-6c6ec6db 4635->4645 4638 6c6ec5bf-6c6ec5c4 4636->4638 4639 6c6ec447-6c6ec44c 4636->4639 4640 6c6ec50b-6c6ec510 4637->4640 4641 6c6ec679-6c6ec67e 4637->4641 4660 6c6ec5ca-6c6ec5cf 4638->4660 4661 6c6ec863-6c6ec868 4638->4661 4646 6c6ec742-6c6ec747 4639->4646 4647 6c6ec452-6c6ec457 4639->4647 4648 6c6ec7de-6c6ec7e3 4640->4648 4649 6c6ec516-6c6ec51b 4640->4649 4652 6c6ec684-6c6ec689 4641->4652 4653 6c6ec8e2-6c6ec8e7 4641->4653 4650 6c6ec8ab-6c6ec8b0 4642->4650 4651 6c6ec643-6c6ec648 4642->4651 4654 6c6ec796-6c6ec79b 4643->4654 4655 6c6ec4b1-6c6ec4b6 4643->4655 4656 6c6ec586-6c6ec58b 4644->4656 4657 6c6ec830-6c6ec835 4644->4657 4658 6c6ec912-6c6ec917 4645->4658 4659 6c6ec6e1-6c6ec6e6 4645->4659 4680 6c6ec74d-6c6ec752 4646->4680 4681 6c6ecca3-6c6eccba 4646->4681 4664 6c6ec93d-6c6ec95b 4647->4664 4665 6c6ec45d-6c6ec462 4647->4665 4686 6c6eccfa-6c6ecd23 4648->4686 4687 6c6ec7e9-6c6ec7ee 4648->4687 4682 6c6ec9a3-6c6ec9b3 4649->4682 4683 6c6ec521-6c6ec526 4649->4683 4668 6c6ecdda-6c6ecdf1 4650->4668 4669 6c6ec8b6-6c6ec8bb 4650->4669 4666 6c6ec64e-6c6ec653 4651->4666 4667 6c6ecb08-6c6ecb34 4651->4667 4672 6c6ec68f-6c6ec694 4652->4672 4673 6c6ecb61-6c6ecb85 4652->4673 4670 6c6ec8ed-6c6ec8f2 4653->4670 4671 6c6ecdf9-6c6ece12 4653->4671 4684 6c6ec408-6c6ec418 4654->4684 4685 6c6ec7a1-6c6ec7a6 4654->4685 4674 6c6ec4bc-6c6ec4c1 4655->4674 4675 6c6ec97a-6c6ec984 4655->4675 4688 6c6ec9fe-6c6eca3a 4656->4688 4689 6c6ec591-6c6ec596 4656->4689 4690 6c6ecd6c-6c6ecd88 4657->4690 4691 6c6ec83b-6c6ec840 4657->4691 4676 6c6ec91d-6c6ec922 4658->4676 4677 6c6ece1a-6c6ece29 4658->4677 4678 6c6ec6ec-6c6ec6f1 4659->4678 4679 6c6ecc12-6c6ecc4d call 6c71f010 call 6c6eb4d0 4659->4679 4692 6c6ec5d5-6c6ec5da 4660->4692 4693 6c6eca71-6c6eca9b call 6c71ea90 4660->4693 4662 6c6ec86e-6c6ec873 4661->4662 4663 6c6ecdb7-6c6ecdbf 4661->4663 4713 6c6ec879-6c6ec8a6 4662->4713 4714 6c6ece31-6c6ece36 4662->4714 4705 6c6ecdc4-6c6ecdd5 4663->4705 4702 6c6ecd8a-6c6ecd98 4664->4702 4715 6c6ec468-6c6ec46d 4665->4715 4716 6c6ec960-6c6ec975 4665->4716 4695 6c6ecb39-6c6ecb5c 4666->4695 4696 6c6ec659-6c6ec65e 4666->4696 4667->4631 4668->4671 4669->4631 4717 6c6ec8c1-6c6ec8dd 4669->4717 4670->4631 4718 6c6ec8f8-6c6ec90d 4670->4718 4671->4677 4697 6c6ecb8a-6c6ecc0d 4672->4697 4698 6c6ec69a-6c6ec69f 4672->4698 4673->4631 4719 6c6ec989-6c6ec99e 4674->4719 4720 6c6ec4c7-6c6ec4cc 4674->4720 4675->4631 4676->4631 4721 6c6ec928-6c6ec938 4676->4721 4677->4714 4700 6c6ecc77-6c6ecc88 4678->4700 4701 6c6ec6f7-6c6ec6fc 4678->4701 4751 6c6ecc52-6c6ecc72 4679->4751 4703 6c6ec758-6c6ec75d 4680->4703 4704 6c6eccc9-6c6eccd8 4680->4704 4699 6c6eccbc-6c6eccc4 4681->4699 4723 6c6ec9bd-6c6ec9c5 4682->4723 4722 6c6ec52c-6c6ec531 4683->4722 4683->4723 4710 6c6ec41d 4684->4710 4706 6c6ec7ac-6c6ec7b1 4685->4706 4707 6c6ecce0-6c6eccf5 4685->4707 4686->4631 4708 6c6ecd28-6c6ecd67 4687->4708 4709 6c6ec7f4-6c6ec7f9 4687->4709 4726 6c6eca43-6c6eca6c 4688->4726 4725 6c6ec59c-6c6ec5a1 4689->4725 4689->4726 4690->4702 4711 6c6ecd9d-6c6ecdad 4691->4711 4712 6c6ec846-6c6ec84b 4691->4712 4727 6c6ecaa0-6c6ecb03 call 6c6ece50 CreateFileA 4692->4727 4728 6c6ec5e0-6c6ec5e5 4692->4728 4693->4631 4695->4631 4696->4631 4731 6c6ec664-6c6ec674 4696->4731 4697->4631 4698->4631 4733 6c6ec6a5-6c6ec6d1 4698->4733 4699->4631 4732 6c6ecc8d-6c6ecc9e 4700->4732 4701->4631 4734 6c6ec702-6c6ec73d 4701->4734 4702->4631 4703->4631 4735 6c6ec763-6c6ec791 4703->4735 4704->4707 4705->4631 4706->4631 4736 6c6ec7b7-6c6ec7d9 4706->4736 4707->4710 4708->4631 4709->4631 4737 6c6ec7ff-6c6ec82b 4709->4737 4738 6c6ec420-6c6ec424 4710->4738 4711->4663 4712->4631 4740 6c6ec851-6c6ec85e 4712->4740 4713->4631 4714->4631 4739 6c6ece3c-6c6ece47 4714->4739 4715->4631 4741 6c6ec46f-6c6ec483 4715->4741 4716->4631 4717->4732 4718->4631 4719->4738 4720->4631 4742 6c6ec4d2-6c6ec4fa call 6c6e2a20 call 6c6e2a30 4720->4742 4721->4705 4722->4631 4744 6c6ec537-6c6ec561 4722->4744 4743 6c6ec9ca-6c6ec9f9 4723->4743 4725->4631 4746 6c6ec5a7-6c6ec5ba 4725->4746 4726->4631 4727->4631 4728->4631 4729 6c6ec5eb-6c6ec633 4728->4729 4729->4631 4731->4743 4732->4631 4733->4631 4734->4631 4735->4699 4736->4702 4737->4631 4738->4631 4740->4743 4741->4705 4742->4631 4743->4631 4744->4631 4746->4631 4751->4631
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @*Z$@*Z
                                      • API String ID: 0-2842812045
                                      • Opcode ID: d04fd379442169b1b50b95b6cb070262bba10aab3750ae8f72638dfb38fb755f
                                      • Instruction ID: 3fb7f8164f012ef9daa65ad6708b131a473d673df077f74224aee3bfee512478
                                      • Opcode Fuzzy Hash: d04fd379442169b1b50b95b6cb070262bba10aab3750ae8f72638dfb38fb755f
                                      • Instruction Fuzzy Hash: E542477060E342EFCB18DF18C4916AEBBE1AF89314F244D2EF49AC7761D231D9458B5A
                                      Function 6C72F015 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 4755 6c72f015-6c72f029 call 6c734c92 4758 6c72f02b-6c72f02d 4755->4758 4759 6c72f02f-6c72f037 4755->4759 4762 6c72f07d-6c72f09d call 6c734e0f 4758->4762 4760 6c72f042-6c72f045 4759->4760 4761 6c72f039-6c72f040 4759->4761 4764 6c72f063-6c72f073 call 6c734c92 CloseHandle 4760->4764 4765 6c72f047-6c72f04b 4760->4765 4761->4760 4766 6c72f04d-6c72f061 call 6c734c92 * 2 4761->4766 4772 6c72f0ab 4762->4772 4773 6c72f09f-6c72f0a9 call 6c7230e2 4762->4773 4764->4758 4775 6c72f075-6c72f07b GetLastError 4764->4775 4765->4764 4765->4766 4766->4758 4766->4764 4777 6c72f0ad-6c72f0b0 4772->4777 4773->4777 4775->4762
                                      APIs
                                      • CloseHandle.KERNEL32(00000000,?,00000000,?,6C73794F), ref: 6C72F06B
                                      • GetLastError.KERNEL32(?,00000000,?,6C73794F), ref: 6C72F075
                                      • __dosmaperr.LIBCMT ref: 6C72F0A0
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: CloseErrorHandleLast__dosmaperr
                                      • String ID:
                                      • API String ID: 2583163307-0
                                      • Opcode ID: c95ed5a762cad582da843ec369fad28e84428a1c5f01a17b91cc74dfd10d69e1
                                      • Instruction ID: 18b3f38fe3624beeedb80aa110cf09bca40c1d52aa3266b00e23f12373997861
                                      • Opcode Fuzzy Hash: c95ed5a762cad582da843ec369fad28e84428a1c5f01a17b91cc74dfd10d69e1
                                      • Instruction Fuzzy Hash: FA01DB3370523017D33522399F4D7AEBB6A4BC773CF298669E92987AC1EF69844481A0
                                      Function 6C72428C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 5000 6c72428c-6c724297 5001 6c724299-6c7242ac call 6c7230bc call 6c723810 5000->5001 5002 6c7242ae-6c7242bb 5000->5002 5013 6c724300-6c724302 5001->5013 5004 6c7242f6-6c7242ff call 6c72e565 5002->5004 5005 6c7242bd-6c7242d2 call 6c7243a9 call 6c72be2e call 6c72d350 call 6c72ef88 5002->5005 5004->5013 5019 6c7242d7-6c7242dc 5005->5019 5020 6c7242e3-6c7242e7 5019->5020 5021 6c7242de-6c7242e1 5019->5021 5020->5004 5022 6c7242e9-6c7242f5 call 6c727eab 5020->5022 5021->5004 5022->5004
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 8Q
                                      • API String ID: 0-4022487301
                                      • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                      • Instruction ID: 9feb545d8f17bfdadb5f2dcede420b7ce7752ce91b631d93f793984128d2654b
                                      • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                      • Instruction Fuzzy Hash: 8CF0D1329016245AD7215A3A9E0C7CB32E88F42338F214B15E920A7EC0DB7CE40AA6E5
                                      Function 6C719050 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C7191A4
                                      • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C7191E4
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: Ios_base_dtorstd::ios_base::_
                                      • String ID:
                                      • API String ID: 323602529-0
                                      • Opcode ID: 3df0d5e96e6b54d26a952d6a0c8d58c7133d808f3057ba91f657f34116b372fe
                                      • Instruction ID: e709fb10f46a3a44895ef1237c5201cff527642675f6813bef2e202f8d528b0b
                                      • Opcode Fuzzy Hash: 3df0d5e96e6b54d26a952d6a0c8d58c7133d808f3057ba91f657f34116b372fe
                                      • Instruction Fuzzy Hash: 0C515A71105B00DBD725CF24C989BD2BBF4BB05724F448A1DD4AA47B91DB31B949CB80
                                      Function 6C72262F Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(6C749DD0,0000000C), ref: 6C722642
                                      • ExitThread.KERNEL32 ref: 6C722649
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: ErrorExitLastThread
                                      • String ID:
                                      • API String ID: 1611280651-0
                                      • Opcode ID: 2ae80419c68bfffda157dc6d9cd3fe75795a52910a3a2a275e871b5ae067d557
                                      • Instruction ID: 7d813e40c6b1ca7ffe743c8fbaf2022694c672c38e8cbf40b4c39f9e42607eaa
                                      • Opcode Fuzzy Hash: 2ae80419c68bfffda157dc6d9cd3fe75795a52910a3a2a275e871b5ae067d557
                                      • Instruction Fuzzy Hash: 13F0C271A00204AFDB00AF70CA4DEAE7B74FF45218F24866AE41197B51CF39A944CBA1
                                      Function 6C72E662 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: __wsopen_s
                                      • String ID:
                                      • API String ID: 3347428461-0
                                      • Opcode ID: 7ca2ea9f26e436c3196aaceba48bdb0afa8196e901a1f3c3e16d83e72b53207c
                                      • Instruction ID: 4224c309be070a20fd9bd4a9e9c4065fef2011bad2cc684a8e6ebd0fdf6591c4
                                      • Opcode Fuzzy Hash: 7ca2ea9f26e436c3196aaceba48bdb0afa8196e901a1f3c3e16d83e72b53207c
                                      • Instruction Fuzzy Hash: 64113A71A0420EAFCB05CF69EA4999B7BF8EF49308F144469F809AB311D670E911CBA5
                                      Function 6C7376EE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                      • Instruction ID: 9c3f9419d3b8eb71e4b99f8dd438cf371264509e323f720e1b3ba468b5e3a8c5
                                      • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                      • Instruction Fuzzy Hash: 55014F72C0116DFFCF019FB88E09AEE7FB5AF08214F144165ED28E2251E7318A24DB91
                                      Function 6C737B47 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,00000000,?,6C737805,?,?,00000000,?,6C737805,00000000,0000000C), ref: 6C737B64
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: b574fdbdfd257c96059d35d288fad5d6b332f202218845811ff3f846bd4c9b08
                                      • Instruction ID: 2f48db5734500fd7bdeef786232bc9c0418422779c6057bda8abf4fccd1c73a4
                                      • Opcode Fuzzy Hash: b574fdbdfd257c96059d35d288fad5d6b332f202218845811ff3f846bd4c9b08
                                      • Instruction Fuzzy Hash: 36D06C3210014DBBDF029E84DC46EDA3BAAFB48715F018010FA5856020C732E861EB90
                                      Function 6C5E83A0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                      • Instruction ID: 33e1d794ba9a19e527dacd10cd055076f1a126927a2cb954c157937c15476881
                                      • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                      • Instruction Fuzzy Hash:

                                      Non-executed Functions

                                      Function 6C766092 Relevance: 21.8, APIs: 5, Strings: 6, Instructions: 2537COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6C766097
                                        • Part of subcall function 6C7691D6: __EH_prolog.LIBCMT ref: 6C7691DB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: $ $*$0UJ$@$@
                                      • API String ID: 3519838083-862571645
                                      • Opcode ID: e22172b2180ba6d381767f152ec73fcbe70747ea8cb959dd0ada97f8ed321326
                                      • Instruction ID: b6798ae50f7f56fb111c8460f5949b8ec1333f25b0fd8da31df87330024449d3
                                      • Opcode Fuzzy Hash: e22172b2180ba6d381767f152ec73fcbe70747ea8cb959dd0ada97f8ed321326
                                      • Instruction Fuzzy Hash: 5A33AF30D00258DFDF11DFA5CA98BDDBBB1AF45308F1480A9D809ABA91DB719E89CF51
                                      Function 6C7B889F Relevance: 15.6, APIs: 6, Strings: 2, Instructions: 1591COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6C7B88A4
                                      • __aulldiv.LIBCMT ref: 6C7B8C4A
                                      • __aulldiv.LIBCMT ref: 6C7B8C78
                                      • __aulldiv.LIBCMT ref: 6C7B8D18
                                        • Part of subcall function 6C7BA36D: __EH_prolog.LIBCMT ref: 6C7BA372
                                        • Part of subcall function 6C7BA40E: __EH_prolog.LIBCMT ref: 6C7BA413
                                        • Part of subcall function 6C7B9E78: __EH_prolog.LIBCMT ref: 6C7B9E7D
                                        • Part of subcall function 6C7B424A: __EH_prolog.LIBCMT ref: 6C7B424F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog$__aulldiv
                                      • String ID: L$b
                                      • API String ID: 604474441-3566554212
                                      • Opcode ID: d9657c234f8b039fc43015c1601217ec1c14bdfa2872b48e6b05b85763b47a84
                                      • Instruction ID: 72342cd8140f31e3768ec4755fb9c3c6a813b244dc8bb849fe1b10f29792a7b5
                                      • Opcode Fuzzy Hash: d9657c234f8b039fc43015c1601217ec1c14bdfa2872b48e6b05b85763b47a84
                                      • Instruction Fuzzy Hash: 34E28C30D05249DFCF15DFA4CA98ADDBBB4BF29308F1480AAD459B7741DB306A89CB61
                                      Function 6C714860 Relevance: 11.0, APIs: 3, Strings: 1, Instructions: 4048COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: _strlen
                                      • String ID: C
                                      • API String ID: 4218353326-4157497815
                                      • Opcode ID: 036d7494600915ef1948974d18a9084186c13ea1225d1374a7ccdbac5eac2167
                                      • Instruction ID: a43c54af40849067b46b127156be336ae6c80d471cf16a94fc0236f2fd73de9e
                                      • Opcode Fuzzy Hash: 036d7494600915ef1948974d18a9084186c13ea1225d1374a7ccdbac5eac2167
                                      • Instruction Fuzzy Hash: D6730271648B018FC728CF29C9D0A96B7F2BF9531871D8A6DC0A787E55EB34B54ACB40
                                      Function 6C719450 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 6C71945A
                                      • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C719466
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C719474
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C71949B
                                      • NtInitiatePowerAction.NTDLL ref: 6C7194AF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                                      • String ID: SeShutdownPrivilege
                                      • API String ID: 3256374457-3733053543
                                      • Opcode ID: fd6955d11a41b723ebd60ccce0e74bfeaaa1007807f3b208ce90f1fdffc8bb39
                                      • Instruction ID: d031e4676f57a337147f8344b7f11fd255bb54a3c66ff81b519e92b77d4ca587
                                      • Opcode Fuzzy Hash: fd6955d11a41b723ebd60ccce0e74bfeaaa1007807f3b208ce90f1fdffc8bb39
                                      • Instruction Fuzzy Hash: 5AF03071684305ABEA20AF28CD0BB9A7BF8EB45705F00456CF949A61D1D7706994CBE2
                                      Function 6C591950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: \j`7$\j`7$j
                                      • API String ID: 0-3644614255
                                      • Opcode ID: e12eee279e243af78163953e39fe793515df577e2cf5e3970afc8a001df7bd98
                                      • Instruction ID: 593ce83c84ed64d12d60c5732f5aae755a02886c9a13a676918044ac1e86f5e1
                                      • Opcode Fuzzy Hash: e12eee279e243af78163953e39fe793515df577e2cf5e3970afc8a001df7bd98
                                      • Instruction Fuzzy Hash: 534224746093828FCB25CF68C88066ABBE5BBCA354F144E6EE499CB760D334D845CB53
                                      Function 6C7AB4AC Relevance: 8.7, APIs: 1, Strings: 3, Instructions: 1656COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6C7AB4B1
                                        • Part of subcall function 6C7AC93B: __EH_prolog.LIBCMT ref: 6C7AC940
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: 1$`)K$h)K
                                      • API String ID: 3519838083-3935664338
                                      • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                      • Instruction ID: 1cd05107cc9feb95fe1900cbdbebda2b5cdd5b1de24ea0c59050ff52c096f3d6
                                      • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                      • Instruction Fuzzy Hash: 5BF2AD70D01248DFDF11DBE8CA88BDDBBB4AF49309F244199E449AB751CB71AA86CF11
                                      Function 6C79DEEF Relevance: 8.3, APIs: 1, Strings: 2, Instructions: 3058COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6C79DEF4
                                        • Part of subcall function 6C7A1622: __EH_prolog.LIBCMT ref: 6C7A1627
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: $h%K
                                      • API String ID: 3519838083-1737110039
                                      • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                      • Instruction ID: 5ad9802d9c4aed24e557d59663cd312f322023a47737699af471de019476959a
                                      • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                      • Instruction Fuzzy Hash: C9538B30901258DFDB15CBA4CA98BEDBBB4BF09308F1441E8D45AA7791DB70AE89CF51
                                      Function 6C779CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6C779CE5
                                        • Part of subcall function 6C74FC2A: __EH_prolog.LIBCMT ref: 6C74FC2F
                                        • Part of subcall function 6C7516A6: __EH_prolog.LIBCMT ref: 6C7516AB
                                        • Part of subcall function 6C779A0E: __EH_prolog.LIBCMT ref: 6C779A13
                                        • Part of subcall function 6C779837: __EH_prolog.LIBCMT ref: 6C77983C
                                        • Part of subcall function 6C77D143: __EH_prolog.LIBCMT ref: 6C77D148
                                        • Part of subcall function 6C77D143: ctype.LIBCPMT ref: 6C77D16C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog$ctype
                                      • String ID:
                                      • API String ID: 1039218491-3916222277
                                      • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                      • Instruction ID: e45383b0758a629cb712c503ed7c564c8ba794d7599f23d4d7eebb61898ce0de
                                      • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                      • Instruction Fuzzy Hash: 6203BD3080524CDFDF21DFA4CA5CBDCBBB0AF15318F2480A9D44967A91DB74AA8DDB61
                                      Function 6C7A3A52 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1212COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: W
                                      • API String ID: 3519838083-655174618
                                      • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                      • Instruction ID: fc40e6ed1118276053e4fe5936ace635a2bb39a9ededccef68287bbf0494abb3
                                      • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                      • Instruction Fuzzy Hash: B5B28C70A05259DFDB00CFE8C688B9DBBB4AF49308F2442A9E845EB751CB75DD42DB60
                                      Function 6C723871 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6C723969
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6C723973
                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6C723980
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                      • String ID:
                                      • API String ID: 3906539128-0
                                      • Opcode ID: 5756fa76310968dbf8cf2412eeb9559fdac1dbf4b50defe268f80f3ce932024e
                                      • Instruction ID: 14ed18541bbf8799ec28fc1b1aff6c131f0ec033a6a2d2188f8ff745de565736
                                      • Opcode Fuzzy Hash: 5756fa76310968dbf8cf2412eeb9559fdac1dbf4b50defe268f80f3ce932024e
                                      • Instruction Fuzzy Hash: 9031A3749112289BCB61DF68D988BCDBBF8BF08314F5045EAE41CA7650EB749B85CF44
                                      Function 6C72286D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,?,6C722925,?,?,?,?), ref: 6C72288F
                                      • TerminateProcess.KERNEL32(00000000,?,6C722925,?,?,?,?), ref: 6C722896
                                      • ExitProcess.KERNEL32 ref: 6C7228A8
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID:
                                      • API String ID: 1703294689-0
                                      • Opcode ID: fe4a84fa1d52ff425540d6fca526db502b94c21d8feee4c6d2f745520bc5d5c3
                                      • Instruction ID: 337c742687f0e08c818dbfb7bddd661972046eb7a6fb1dcaf7e4bed6b5d797ae
                                      • Opcode Fuzzy Hash: fe4a84fa1d52ff425540d6fca526db502b94c21d8feee4c6d2f745520bc5d5c3
                                      • Instruction Fuzzy Hash: 2AE0EC31650108EFCF017F65CA0DA993F79FF45769B218835F91986621CB3EE982CB94
                                      Function 6C7925EC Relevance: 4.5, APIs: 1, Strings: 1, Instructions: 995COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-3916222277
                                      • Opcode ID: 6283ffce90d7722d82f06bf6062908a4dbdb23c6aa848be1631664cf1bbb550b
                                      • Instruction ID: 1d8f4fadd6fdcddeb8be578685f7425ee47e7964f2c8f8cbcf79835f0db87a72
                                      • Opcode Fuzzy Hash: 6283ffce90d7722d82f06bf6062908a4dbdb23c6aa848be1631664cf1bbb550b
                                      • Instruction Fuzzy Hash: F192B130901249DFDB05DFA8DA88BEEBBB1BF09318F248099E815AB791C774DD45CB61
                                      Function 6C7A4F11 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 511COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-3916222277
                                      • Opcode ID: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                                      • Instruction ID: 9812ca767f4b3a95e64f71035172ce5e3e6b56bab93135b67d6ec889fef9abe8
                                      • Opcode Fuzzy Hash: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                                      • Instruction Fuzzy Hash: D2226B71A006099FDB44CFA8D588BADBBF0FF48308F108569E8599B782D775E946CF90
                                      Function 6C797896 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 333COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6C79789B
                                        • Part of subcall function 6C798FC9: __EH_prolog.LIBCMT ref: 6C798FCE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: @ K
                                      • API String ID: 3519838083-4216449128
                                      • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                      • Instruction ID: 2847e0f46611f809319ba061f7cf07af90b53232007c3049a1562bdab6ecd7fc
                                      • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                      • Instruction Fuzzy Hash: 4FD14631E002048FDB04CFA9E694BDEBBB6FF85318F15807AD405ABB85CB349945CB50
                                      Function 6C74BEA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: x=J
                                      • API String ID: 3519838083-1497497802
                                      • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                      • Instruction ID: 4af175388d5864b45a9060051c13f39df29684b944a7fe8509f8bce6012b47eb
                                      • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                      • Instruction Fuzzy Hash: 1691E071D01209DBCF04EFA4CA98AEDB775BF0534AF20C06AD45167A62DB316D4ECB94
                                      Function 6C71A133 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C71AFA0
                                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C71B7C3
                                        • Part of subcall function 6C71CA69: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C71B7AC,00000000,?,?,?,6C71B7AC,?,6C74853C), ref: 6C71CAC9
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                                      • String ID:
                                      • API String ID: 915016180-0
                                      • Opcode ID: f797a8efa9fbd819262079e3aa4121c4bea85a44f7c342c2818c07d37ad57c10
                                      • Instruction ID: d292dd981033d0d6d671e790fedbe107991a395ab74c16a984624f056d6d736b
                                      • Opcode Fuzzy Hash: f797a8efa9fbd819262079e3aa4121c4bea85a44f7c342c2818c07d37ad57c10
                                      • Instruction Fuzzy Hash: BEB16FB1A082069FDB14CF66C98669ABBF5FB49328F18853AD455E7F80D334A644CFD0
                                      Function 6C74B972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @4J$DsL
                                      • API String ID: 0-2004129199
                                      • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                      • Instruction ID: 352b769e8ffd488a2340be1eba417c22380295bc578bd15e2897f9e1e682b2f4
                                      • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                      • Instruction Fuzzy Hash: CC2171376A4D564BD74CCA28DC33EB92680E748305B89527EE94BCB7D1DF5D8800C648
                                      Function 6C76840A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6C76840F
                                        • Part of subcall function 6C769137: __EH_prolog.LIBCMT ref: 6C76913C
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                      • Instruction ID: de8838111a5404dd2beb61a1d950b34f287499ac2fdaa713eb8976e9d6eaecd1
                                      • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                      • Instruction Fuzzy Hash: DA626971900219CFDF15CFA6CA98BEDBBB1BF09308F14416AE815ABA81D7749A44CF91
                                      Function 6C7C0AD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: YA1
                                      • API String ID: 0-613462611
                                      • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                      • Instruction ID: 4501b2cbb4a98768a2e978d2612285e5fd7629dbda57e5b6abc4620330ca2b2d
                                      • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                      • Instruction Fuzzy Hash: E042D2707493828FD315CF28C59069ABBE2BFD9308F144A6DE8D68B742D671D946CB83
                                      Function 6C7E67C0 Relevance: 1.9, APIs: 1, Instructions: 356COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: __aulldiv
                                      • String ID:
                                      • API String ID: 3732870572-0
                                      • Opcode ID: a13d6ee194fb01fface67b9907b125463793f568477540394d21f6f384e52076
                                      • Instruction ID: a9ab212d10a39956b8259e581779345a6b2e501c1b1689059de64b41d8cb0f68
                                      • Opcode Fuzzy Hash: a13d6ee194fb01fface67b9907b125463793f568477540394d21f6f384e52076
                                      • Instruction Fuzzy Hash: 16E18E726083458FC724CF29C980AAAB7F5BFC8314F248A2EE958CB755D730E945CB91
                                      Function 6C79AD43 Relevance: 1.8, APIs: 1, Instructions: 346COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                      • Instruction ID: 2f902a254d44784d4f51244bd9036c70807832d4634a3f0fa1aff7f1b53bb6c0
                                      • Opcode Fuzzy Hash: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                      • Instruction Fuzzy Hash: 80F16770901249DFCB14CFA8D698BEDBBB1FF05318F14806DD409ABB52D770AA99CB51
                                      Function 6C7E8D90 Relevance: 1.8, Strings: 1, Instructions: 513COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @
                                      • API String ID: 0-2766056989
                                      • Opcode ID: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                      • Instruction ID: 41d8874e88e3bd5adb1735fcfb8e67b3e5103c29a3590529d7edbd895115cc9e
                                      • Opcode Fuzzy Hash: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                      • Instruction Fuzzy Hash: F0324AB1A083058FC318CF59C48495AF7E2BFCC314F468A6DE98997355DB74AA09CF86
                                      Function 6C753BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: __aullrem
                                      • String ID:
                                      • API String ID: 3758378126-0
                                      • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                      • Instruction ID: 40fcf9210d62ae76d1969fdedc8e165f588693c4f6effa06fec248a78906f45f
                                      • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                      • Instruction Fuzzy Hash: FA51F971A083459BD710CF5AC4C12EDFBF6EF79214F18C05EE8C897242D67A599AC760
                                      Function 6C7CCE80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID: 0-3916222277
                                      • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                      • Instruction ID: ab95e893c403f197c682ccd778e6eeb29381d42c92015f93ab258fbe795001c4
                                      • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                      • Instruction Fuzzy Hash: 7F02AB316883428FD324CF28C69079EBBE2AFE8358F144A2DE89597B51C774D946CB47
                                      Function 6C7E9999 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @
                                      • API String ID: 0-2766056989
                                      • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                      • Instruction ID: d9f714e33e29d77ec1862fabaf386a653e4cdfbd54b6c332858922ec3aabe4da
                                      • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                      • Instruction Fuzzy Hash: D4D13E729083148FC758DF4AD44005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                                      Function 6C827A46 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: B
                                      • API String ID: 0-1255198513
                                      • Opcode ID: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                                      • Instruction ID: ff998fd1a020bf50c338cab39e41a21257b2a3f9fe33ff75b0814aa2c5f92aec
                                      • Opcode Fuzzy Hash: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                                      • Instruction Fuzzy Hash: 4A3126315087558BD724DF28D884AABB3E2FBC4325F60CA3DD89ACBA94E7745415CF41
                                      Function 6C7BDB90 Relevance: .9, Instructions: 940COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                      • Instruction ID: d7f0401ba944376304c919287003b25e74de3f2acb5a579129ffe253e08eebb7
                                      • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                      • Instruction Fuzzy Hash: 79727DB16042168FD748CF28C590258FBE1FF89314B5A46BDD95AEB742EB70E895CBC0
                                      Function 6C7DD930 Relevance: .7, Instructions: 740COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                      • Instruction ID: 052e4e0057c1d56c940794dee5b74f6ad65cedb68702697f1142442cf6fc9956
                                      • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                      • Instruction Fuzzy Hash: B06211B1A083458FC714CF29C68061AFBE6BFD8744F258A2EE89987714D770E845CF96
                                      Function 6C7DB950 Relevance: .7, Instructions: 697COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                      • Instruction ID: baabb4eaba55558e72ef8db813d5ebbd3aa0466914d925fa6cbdeba3f3c3ed72
                                      • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                      • Instruction Fuzzy Hash: C942AE71204B068BD328CF69C9947AAB3E2FB84314F054A2DE897C7B95EB74F549CB41
                                      Function 6C7CA1F0 Relevance: .6, Instructions: 634COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bf70cfe04b665dc64369caa9c5f3f6957600806d567f090f737c69cac13e6594
                                      • Instruction ID: 6a23638644817beeea50dc34f3cd3be5f1fbb80188918a0b60a89f62e96f9255
                                      • Opcode Fuzzy Hash: bf70cfe04b665dc64369caa9c5f3f6957600806d567f090f737c69cac13e6594
                                      • Instruction Fuzzy Hash: 7A329C71B0024A8FDB08CF28C9902DE3BA2FF99365F258539EC559B741D774E952CB82
                                      Function 6C7C6D50 Relevance: .5, Instructions: 547COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                      • Instruction ID: 38376deb1df00ceb532eb54cc43ebebb4d85a7f5cbacd767d1983c996d3c4cfb
                                      • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                      • Instruction Fuzzy Hash: 451280713097428FC718CF29C6D066ABBE2BFC8344F54892DE99687B42DB31E945CB52
                                      Function 6C7D7AA0 Relevance: .5, Instructions: 474COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                      • Instruction ID: 82fd8cb37900a18cfc00ab22e5b10bbc5e96ffd2b16b0b41a9461b2bb7840421
                                      • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                      • Instruction Fuzzy Hash: 86020C31A483118FC318CE2CC5C0269BBF2FBC4355F1A4B2EE496D7A5AD774A945CB92
                                      Function 6C7C2A50 Relevance: .5, Instructions: 453COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                      • Instruction ID: 869e3a75998e9831a37f5d30755a30c61e501af8314ac5d9bf9f0b9082b47794
                                      • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                      • Instruction Fuzzy Hash: 52F1123270428A8FEB24CE28D9587EEB7E2FBC5304F544539D889CBB41DB35954AC792
                                      Function 6C7C9D10 Relevance: .4, Instructions: 429COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                      • Instruction ID: e1c83bca5f79fb51fc4ee75d1c6d12ede283eaeb3dd76af1fe3cb4a8abb5b26a
                                      • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                      • Instruction Fuzzy Hash: 8CE1F032704B028FD724CE29D5903AAB7E2FBD4318F544A3DC59687B81DB35E50ACB82
                                      Function 6C7E1BC0 Relevance: .4, Instructions: 399COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                      • Instruction ID: 9761eba06cc8c3e26720cccd6268bf0590c77c74ee74674775897d447c58f1cf
                                      • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                      • Instruction Fuzzy Hash: AEF1D171608B518FC328CF2DC491266FBE1BF89305F188A6EE1D6CBA92D339E554CB51
                                      Function 6C7DF8D0 Relevance: .4, Instructions: 383COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                      • Instruction ID: 70edbf7826c2efa4a81081f58000f98672d3ed5e7d89b14c3f1d5c78c22af0e3
                                      • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                      • Instruction Fuzzy Hash: 46F1D1705087518FC329CF29C59026AFBF2BF85308F198A2ED5D68BA91D339F155CB51
                                      Function 6C7C9900 Relevance: .3, Instructions: 341COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                      • Instruction ID: 0a42cfc72a891ec272ee59df84d10db0cb3163385b488367a28304cae7162931
                                      • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                      • Instruction Fuzzy Hash: 0AC1C471704B068FE368CF29C5906AAB7E2FBE4318F548A3DC19687B46D630F455CB81
                                      Function 6C7D25C0 Relevance: .3, Instructions: 333COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                      • Instruction ID: 5da1a77620b5e6d48756a32866c8d7fca5b2ec8d6b367de74ff4775085e4a724
                                      • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                      • Instruction Fuzzy Hash: 3CD167715047128FD319CF1DC598236BBE1FF86304F064ABDEAA28B78AD735A906CB50
                                      Function 6C7E7DE0 Relevance: .3, Instructions: 333COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                      • Instruction ID: 3e298b0f71fc651de33ac6ed35d1eaee987f67c0ebe214fd1a92586cb227c604
                                      • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                      • Instruction Fuzzy Hash: FBE1D5B18047A64FE398EF5CDCA4A3577A1EBC8300F4B427DDA650B392D734A942DB94
                                      Function 6C864F0A Relevance: .3, Instructions: 332COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                                      • Instruction ID: 39b1311f4d86decb9cab072390318a37dff0b5c4641bae905cbdb2839763c7e3
                                      • Opcode Fuzzy Hash: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                                      • Instruction Fuzzy Hash: FCB1C9366087168BD328DE7CD8904FB73E2EBC1320F558A3DE596C79C4DB31991A8B81
                                      Function 6C7D14D0 Relevance: .3, Instructions: 307COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                      • Instruction ID: 2e77ebdb834a02405304d807835db74e321f2921c21eee9bb5d730de8037df15
                                      • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                      • Instruction Fuzzy Hash: 6AB16D76A052408FC341CF29C980254BBA2FF85278F7A96AED4948F647D737E847CB91
                                      Function 6C7E7870 Relevance: .3, Instructions: 298COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                      • Instruction ID: 57c413f3ed3de2d35965b44a0c96e640c9f94f32d00f5162c27a880f6303e1d7
                                      • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                      • Instruction Fuzzy Hash: 8CD1F7B1848B9A5FD394EF4DEC81A357762AF88301F4A8239DB600B753D634BB12D794
                                      Function 6C7C1810 Relevance: .3, Instructions: 296COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                      • Instruction ID: a7675bc2439c5d38c06adc809e6983bb8f89f1cc1b408ec7060de7368ae81df4
                                      • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                      • Instruction Fuzzy Hash: B5B1C2313047464FD314DE3ACA98BEAB7E1BF84318F04453DC5AA8B751EF75A5098B92
                                      Function 6C7C4AA0 Relevance: .3, Instructions: 291COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                      • Instruction ID: 9d9d3b8b618ff0819c6f24700e473429f668c5e9d7fe77bf61046549e862a240
                                      • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                      • Instruction Fuzzy Hash: 4CB1A9757087028FC314DF29C9806AAF7E2FFC8304F14892DE49A87711E771A55ACBA6
                                      Function 6C7CC9F0 Relevance: .3, Instructions: 287COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                      • Instruction ID: f135e5fb0c417ccef59c7988646e59dd654cac1ae152d931b23c0b9db3f966fd
                                      • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                      • Instruction Fuzzy Hash: C0A1F0727083428FC318DF29C69069ABBE1ABD5349F084A3DE4D687B41D631E84ACB43
                                      Function 6C7CC6E0 Relevance: .2, Instructions: 223COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                      • Instruction ID: e86ae55d945a822a7ec42eedecee8440f0e14000acbf3562abac195ef3eb3c6e
                                      • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                      • Instruction Fuzzy Hash: E681B035B047068FC320DF29C180296B7E1FF99714F28CAADC5999B715E772E946CB82
                                      Function 6C7DA8C8 Relevance: .2, Instructions: 216COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bad25785083197e856f7efe8fa90cb69a131f3ade8fb02bcfdd4a6e94dde6a99
                                      • Instruction ID: 20cac6f657bb4ded7c7de437f20650d94e922f15db123d50bd5007e97648a01e
                                      • Opcode Fuzzy Hash: bad25785083197e856f7efe8fa90cb69a131f3ade8fb02bcfdd4a6e94dde6a99
                                      • Instruction Fuzzy Hash: 14A1CD7190824A8FD729CF19D590AAEB7F2FFC4318F198A2DE8868B342D335B555CB41
                                      Function 6C883881 Relevance: .2, Instructions: 184COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                                      • Instruction ID: 6f67cab1f906d090f779952d0c6bb13a972801e7e1237b9b3a830e9439f798c5
                                      • Opcode Fuzzy Hash: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                                      • Instruction Fuzzy Hash: FA51A9366126114BC31CDA3CD8619E73392EBC6370B18CB3EE556C79D4EB79940BC600
                                      Function 6C763B66 Relevance: .2, Instructions: 167COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                      • Instruction ID: 36a74b023f5411d5027dea0d81582b2992caa28499d0f68d7a63c418a56e424a
                                      • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                      • Instruction Fuzzy Hash: 6A51B072F006099BDB08CFA9DE926EDB7F1EB88308F248179D415E7B82D7749A41CB40
                                      Function 6C8EB06F Relevance: .2, Instructions: 155COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                                      • Instruction ID: 62b98f2d892507e8f48382a8766a4eae6573285e6e0a0c8bb1b022ee7811f633
                                      • Opcode Fuzzy Hash: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                                      • Instruction Fuzzy Hash: 8A51373550C7068BC324DF6CE9409EAB3A1EFC5320F618B3EE455CB8D1EB75552A8B46
                                      Function 6C7BE650 Relevance: .2, Instructions: 154COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a5df0ff16b053d8fcfcdee403e066c8bbf8aa7f46747348a699df34f7397b1a9
                                      • Instruction ID: c8a227d23d74677b32b05126598c5ae6fcca1a4471fe67ae10f524900456610d
                                      • Opcode Fuzzy Hash: a5df0ff16b053d8fcfcdee403e066c8bbf8aa7f46747348a699df34f7397b1a9
                                      • Instruction Fuzzy Hash: D4518F3460834A8FD710DF2EC98060AB7E1FF98708F244AADE994A7711D771E946CBD1
                                      Function 6C765EC9 Relevance: .1, Instructions: 136COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                      • Instruction ID: 6a9426b6377027683eef7080e9a60ad51d0cd897269a084c6b362a45a3b68f76
                                      • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                      • Instruction Fuzzy Hash: 803114277A440113CB4CCD3BDD2279FA1575BD422A75ECF396C05CEF56D92CC8125144
                                      Function 6C7D2050 Relevance: .1, Instructions: 123COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9e60619b53f5733759f851c7e89353584e6ca2cea002716f3001e8b4c6fadb46
                                      • Instruction ID: fae03e18264ae3b144a9d84b86b132a4f93cc590763a5491385669ddcdfb4c2d
                                      • Opcode Fuzzy Hash: 9e60619b53f5733759f851c7e89353584e6ca2cea002716f3001e8b4c6fadb46
                                      • Instruction Fuzzy Hash: 5B31F873600A050BF201851A8F4935A7223EBC23B9F2BC774DA6687AACDA73BC478155
                                      Function 6C7D1EF0 Relevance: .1, Instructions: 123COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                      • Instruction ID: 0c96a21cbd428e04250027f0dcb2becbb38d56429a87c94c0aba0576beec0c3b
                                      • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                      • Instruction Fuzzy Hash: E3311673505A050BF200856ACB883567223DBC2378F2B8775D96697EEDCB71F807C142
                                      Function 6C89CB30 Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fa879490cdd8b91aa849e46015977ade82b99302b28b8381397caad6ffc46fd2
                                      • Instruction ID: c7732d7eddb3928fa6116021a536ef30c9ca03c78ac02ab7cde5af66df1c4f15
                                      • Opcode Fuzzy Hash: fa879490cdd8b91aa849e46015977ade82b99302b28b8381397caad6ffc46fd2
                                      • Instruction Fuzzy Hash: 43418B72A487168FC314EE58EC804EBB3A6EFC8310F904B3DA865871D5D771691AC390
                                      Function 6C7D9820 Relevance: .1, Instructions: 112COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                      • Instruction ID: 4a5d028747efeee60c91420e960429f7795a55d4196d9207f10c5932a73e74fe
                                      • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                      • Instruction Fuzzy Hash: A641C1729047068BD704CF19C8A056AB3E4FF98318F454A3DED9AA7381E731FA55CB81
                                      Function 6C8F8D12 Relevance: .1, Instructions: 97COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                                      • Instruction ID: f1fced7c344087bf94ed2c22cddf18dd9288afc9a20024ea727f3346cfe64f92
                                      • Opcode Fuzzy Hash: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                                      • Instruction Fuzzy Hash: 80317731A047228BD728DA79D5400ABB3E2EBC5318B55CB3DC4568B589EBB5640BCB81
                                      Function 6C7ED91A Relevance: .1, Instructions: 73COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                                      • Instruction ID: e445e97c2e155a0b98c22d60c7aac163ab31a18b62100c90901961fa7457f8ef
                                      • Opcode Fuzzy Hash: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                                      • Instruction Fuzzy Hash: 112134735144258BC301DF2EE888677B7E1FFD832DF638A3AD9928B581C624D840C6A0
                                      Function 6C7EDA00 Relevance: .1, Instructions: 73COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                                      • Instruction ID: 3a2b161bd11a0ba07d928e76ab3670e74cd1835e9a825ac6d427bb29e90751fe
                                      • Opcode Fuzzy Hash: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                                      • Instruction Fuzzy Hash: 8A2121336051248BC701EF6AD98469B73A6FBD8368F67C639ED8147645C630EA0686A4
                                      Function 6C7EC700 Relevance: .1, Instructions: 70COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                      • Instruction ID: dfaad0c1a58d20e43a758d8c9a2d4fa7ada6efc2679508df8b70a3e277333c08
                                      • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                      • Instruction Fuzzy Hash: 37219077320A0647E74C8A38D93737532D0A705318F98A22DEA6BCE2C2D73AC457C385
                                      Function 6C7D0380 Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 64767f10f9c171ab935b0bf025eacf772035bcd2eb799dcdd82e02b09b12ee02
                                      • Instruction ID: c1454e3eb32435c2ad9146fa5280f05fc5ef0dc43195d16eea7213fec5445308
                                      • Opcode Fuzzy Hash: 64767f10f9c171ab935b0bf025eacf772035bcd2eb799dcdd82e02b09b12ee02
                                      • Instruction Fuzzy Hash: B32190327193428FC308DF58D88096BBBE6FFC9211F15857DE9948B352C635E906CB91
                                      Function 6C7D0280 Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 48f6a5bdde1c9cea4668397cf668c04db0f725afa69fc77866d080b4e5372864
                                      • Instruction ID: 82985a50fff42671e6cc39213a3511dd0e0f62457f9e7668cdc60b093c80f8be
                                      • Opcode Fuzzy Hash: 48f6a5bdde1c9cea4668397cf668c04db0f725afa69fc77866d080b4e5372864
                                      • Instruction Fuzzy Hash: CE1190723183864BC308CE1DDC90966BBE5FBC9300F24897DE985C7342C625E907DB95
                                      Function 6C7E2640 Relevance: .0, Instructions: 48COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 94bd1a651729923c4c8d3d4bf4c81e233e4e8cf0a286e62590c7b03c1869421d
                                      • Instruction ID: e3daed1043e06cb82c0cbf0a436baa394dac516c93a76dc911bfdd24789af7a5
                                      • Opcode Fuzzy Hash: 94bd1a651729923c4c8d3d4bf4c81e233e4e8cf0a286e62590c7b03c1869421d
                                      • Instruction Fuzzy Hash: E101216629628989DB81DA79D590748FE80F756203F9CC3F4D0C8CBF42D589C54BC3A1
                                      Function 6C72D456 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c2a48dbd9f5ae11a7c0b7b86b8e4bf1e4555eece8976f47736a28c51621aef9e
                                      • Instruction ID: 5ce79ec17a030c6c57092daf3ef74eba17847050619bb68e14daa971ae5f1e93
                                      • Opcode Fuzzy Hash: c2a48dbd9f5ae11a7c0b7b86b8e4bf1e4555eece8976f47736a28c51621aef9e
                                      • Instruction Fuzzy Hash: 97F03031A152249BCB12CB49C90AB8973B8EB45BA9F5141A6E951DBA40C6B8EE40C7C4
                                      Function 6C72D425 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                      • Instruction ID: 1edd19231ad343617646f10b3db4240ec64383ed48d086fd948b972b8445790b
                                      • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                      • Instruction Fuzzy Hash: 4AE08C32912238EBCB10CB88CA0CD8AF3ECEB45B14B1100A6F925D3600C278EE00C7D0
                                      Function 6C7EA720 Relevance: .0, Instructions: 16COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                      • Instruction ID: 856ec19666524525a1cac2a4998cacd6734966e2f59aabd3010b59bbe661ecbf
                                      • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                      • Instruction Fuzzy Hash: 41C08CA312810017C302EA3699C0BABFBB37760330F228C3EA0A2E7E43C328C0688111
                                      Function 6C781B50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                      • API String ID: 3519838083-609671
                                      • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                      • Instruction ID: 744658b2068c698fa51fcc27a217cbcd3da90c72ef5178d1626c70ec3a37f42d
                                      • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                      • Instruction Fuzzy Hash: 30D19271A062099FCF01CFA4DA98BEDB7B5FF05318F248539E265A3A50DB70D948CB64
                                      Function 6C7AABB3 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 406COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: L$L'K$T'K$\'K$d'K$p'K$)K
                                      • API String ID: 3519838083-3887797823
                                      • Opcode ID: 47b27f50cc51f1a94238cd0256452db9f2d92a2e889979d702001e9d19a1f323
                                      • Instruction ID: 43673d41ef0d899460e937f77e3106b9329bb0471e2e52449c028cd13f97d12a
                                      • Opcode Fuzzy Hash: 47b27f50cc51f1a94238cd0256452db9f2d92a2e889979d702001e9d19a1f323
                                      • Instruction Fuzzy Hash: 04022770901249DFDB10CF94CA94ADEFBB5FF05318F5482AED049A7A50D730AA8ACF61
                                      Function 6C798B6F Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 151COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6C798B74
                                        • Part of subcall function 6C798AC2: __EH_prolog.LIBCMT ref: 6C798AC7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: DJ$H K$L K$P K$T K$X K$\ K
                                      • API String ID: 3519838083-3148776506
                                      • Opcode ID: 1e695b17fc03ab30503818bc101f4fbde075140751d540bd7eda0f269636307e
                                      • Instruction ID: f55893f7c4237d842cf9380efc20844a66d703b6991cc9ab91e2ea9bf5c60004
                                      • Opcode Fuzzy Hash: 1e695b17fc03ab30503818bc101f4fbde075140751d540bd7eda0f269636307e
                                      • Instruction Fuzzy Hash: F451F1309051059BCF04EFA4D688AEEB372AF9630CF18C56BC9616BB90DB75990EC790
                                      Function 6C796CB2 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 347COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: $ $$ K$, K$.$o
                                      • API String ID: 3519838083-1786814033
                                      • Opcode ID: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                      • Instruction ID: da49e04bc0ea5d1338a44156c5274aced784cb9acbfadc479f855b2959ab6130
                                      • Opcode Fuzzy Hash: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                      • Instruction Fuzzy Hash: 33D10931D0425D8FDF11CFA8E6947EEBBB2BF09308F248369C455ABA51C7715A48CBA1
                                      Function 6C71D1C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                      Download Yara Rule
                                      APIs
                                      • _ValidateLocalCookies.LIBCMT ref: 6C71D1F7
                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 6C71D1FF
                                      • _ValidateLocalCookies.LIBCMT ref: 6C71D288
                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 6C71D2B3
                                      • _ValidateLocalCookies.LIBCMT ref: 6C71D308
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                      • String ID: csm
                                      • API String ID: 1170836740-1018135373
                                      • Opcode ID: 8bf57e895efd865949e4fc72cfb5dc4db88a1ae7626b89f0690519585054ea18
                                      • Instruction ID: 3295ad441182b17f75cc693944b135d1c26a2777ff970da3bda26f5ba9fb9e6d
                                      • Opcode Fuzzy Hash: 8bf57e895efd865949e4fc72cfb5dc4db88a1ae7626b89f0690519585054ea18
                                      • Instruction Fuzzy Hash: 2341E430A04219ABCF01CF68CA48ADE7BF5AF45328F18C165E8289BF51D735DA06CF94
                                      Function 6C72A58A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: api-ms-$ext-ms-
                                      • API String ID: 0-537541572
                                      • Opcode ID: ff167878cdd6367069813110ad882a8dad2109b67cbdafcaa2ffac717b6e1eb9
                                      • Instruction ID: 628f8c142514c2c1c1077ead9cbb3e9c9f9fcd0f34e5817a82c45c45387a23b7
                                      • Opcode Fuzzy Hash: ff167878cdd6367069813110ad882a8dad2109b67cbdafcaa2ffac717b6e1eb9
                                      • Instruction Fuzzy Hash: AE21DA71F05221EBDB219A698E88F4B37B89F02B78F155631E815A7B81D738DD01C6E0
                                      Function 6C72F5A1 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetConsoleCP.KERNEL32(?,6C72E7C0,?), ref: 6C72F5E9
                                      • __fassign.LIBCMT ref: 6C72F7C8
                                      • __fassign.LIBCMT ref: 6C72F7E5
                                      • WriteFile.KERNEL32(?,6C7391A6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C72F82D
                                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C72F86D
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C72F919
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: FileWrite__fassign$ConsoleErrorLast
                                      • String ID:
                                      • API String ID: 4031098158-0
                                      • Opcode ID: 26058080102ddc34e1d09d66fd261a5d72199984038d9142b9214e16bcacb054
                                      • Instruction ID: 6217cdc119795e0f6aef7325fbffc359d8801fd63893434d56c82aa151d12572
                                      • Opcode Fuzzy Hash: 26058080102ddc34e1d09d66fd261a5d72199984038d9142b9214e16bcacb054
                                      • Instruction Fuzzy Hash: B4D1BA71E012689FDF11CFA8CA809EDBBB5FF09318F28016AE855BB741D735A946CB50
                                      Function 6C5E2F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 6C5E2F95
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 6C5E2FAF
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 6C5E2FD0
                                      • __Getctype.LIBCPMT ref: 6C5E3084
                                      • std::_Facet_Register.LIBCPMT ref: 6C5E309C
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 6C5E30B7
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                      • String ID:
                                      • API String ID: 1102183713-0
                                      • Opcode ID: ab66611295e9cd32c03707f6403e0f4c5904402d415f75915b5b8314a5bf1df1
                                      • Instruction ID: 3cfe91d8d394b7234877babe862db961fa4e2e5c7230217bdba9b2bc257bdcee
                                      • Opcode Fuzzy Hash: ab66611295e9cd32c03707f6403e0f4c5904402d415f75915b5b8314a5bf1df1
                                      • Instruction Fuzzy Hash: E14136B1E042158FDB14CF94C959B9EB7F1FF49728F084528D869ABB50DB34A908CBD1
                                      Function 6C757FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: __aulldiv$__aullrem
                                      • String ID:
                                      • API String ID: 2022606265-0
                                      • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                      • Instruction ID: 5a82920baed37b169b7ce016935341c8ab37aa28c2611353f50f8111f3d680dd
                                      • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                      • Instruction Fuzzy Hash: 82210131980219FFDF109E948E48DDF7F79EB853B8F60C226B428A16D0DA718E60D760
                                      Function 6C5E28E0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 176COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 6C5E2A76
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: ___std_exception_destroy
                                      • String ID: U#^l$q!^l$Jbx$Jbx
                                      • API String ID: 4194217158-4250991150
                                      • Opcode ID: b06f813741456052800a036ce5d34bcfe7788d19fb62d7710c0c3d218d666a95
                                      • Instruction ID: 43af51e1ea484e98d81d23fc22a9beb9f33034746415b9a9b572d60a603ce675
                                      • Opcode Fuzzy Hash: b06f813741456052800a036ce5d34bcfe7788d19fb62d7710c0c3d218d666a95
                                      • Instruction Fuzzy Hash: 835114B29002158FCB14CF58CC8869EBBB5FF89314F14856DE849DBB45E371D985CB91
                                      Function 6C7390FD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 6C7391CD
                                      • _free.LIBCMT ref: 6C7391F6
                                      • SetEndOfFile.KERNEL32(00000000,6C737DDC,00000000,6C72E7C0,?,?,?,?,?,?,?,6C737DDC,6C72E7C0,00000000), ref: 6C739228
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C737DDC,6C72E7C0,00000000,?,?,?,?,00000000,?), ref: 6C739244
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFileLast
                                      • String ID: 8Q
                                      • API String ID: 1547350101-4022487301
                                      • Opcode ID: e3394034ff5cdad6375cd3f877f3fe4ba5ae32034ed426e97e8edaf2e116fdb3
                                      • Instruction ID: f6e224560354e7cb1a70b7c00d93382e48aa265e31a6a11719235c4d4536c4f7
                                      • Opcode Fuzzy Hash: e3394034ff5cdad6375cd3f877f3fe4ba5ae32034ed426e97e8edaf2e116fdb3
                                      • Instruction Fuzzy Hash: 66412732900A25ABDB109BB8CE0CBCE777AAF55374F145510E82CB7B92EF34C8094761
                                      Function 6C7A684E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6C7A6853
                                        • Part of subcall function 6C7A65DF: __EH_prolog.LIBCMT ref: 6C7A65E4
                                        • Part of subcall function 6C7A6943: __EH_prolog.LIBCMT ref: 6C7A6948
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: ((K$<(K$L(K$\(K
                                      • API String ID: 3519838083-3238140439
                                      • Opcode ID: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                                      • Instruction ID: 35209d1eb6dd1f7f8793b0049319cb864255c79778bed49bdbc4eb12dc8429c3
                                      • Opcode Fuzzy Hash: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                                      • Instruction Fuzzy Hash: BC213CB0901B44CEC724DF6AC64869BFBF4EF54308F108A1FC0A697B50D7B46608CB69
                                      Function 6C771418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6C77141D
                                        • Part of subcall function 6C771E40: __EH_prolog.LIBCMT ref: 6C771E45
                                        • Part of subcall function 6C7718EB: __EH_prolog.LIBCMT ref: 6C7718F0
                                        • Part of subcall function 6C771593: __EH_prolog.LIBCMT ref: 6C771598
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: &qB$0aJ$A0$XqB
                                      • API String ID: 3519838083-1326096578
                                      • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                      • Instruction ID: af9c56662cd58fd589455d954641cda923d7dd8529ba777c329c5c185194b54d
                                      • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                      • Instruction Fuzzy Hash: DD21B871D01248EBCF09DBE4DA9C9ECBBB4AF25318F208029E41627781DB785E0CCB61
                                      Function 6C72281A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C7228A4,?,?,6C722925,?,?,?), ref: 6C72282F
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C722842
                                      • FreeLibrary.KERNEL32(00000000,?,?,6C7228A4,?,?,6C722925,?,?,?), ref: 6C722865
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: 85d726e05f041631854bd476d5e82cedc01324c3f21b1030865a55dfdc87ed97
                                      • Instruction ID: 6110a4026fc78cd5d66cb42cece71f8dd01685f373df89db8f3122937a1a5a56
                                      • Opcode Fuzzy Hash: 85d726e05f041631854bd476d5e82cedc01324c3f21b1030865a55dfdc87ed97
                                      • Instruction Fuzzy Hash: A4F08C30621119FBDF01AB91CE0DB9EBBB8EB0136AF218075E901B2860CF34CB01DB90
                                      Function 6C71AA17 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 6C71AA1E
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 6C71AA29
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 6C71AA97
                                        • Part of subcall function 6C71A920: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C71A938
                                      • std::locale::_Setgloballocale.LIBCPMT ref: 6C71AA44
                                      • _Yarn.LIBCPMT ref: 6C71AA5A
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                      • String ID:
                                      • API String ID: 1088826258-0
                                      • Opcode ID: a614cf457678982d29379d19b86414a1392f7d9b7ced2425db3825344d454d6c
                                      • Instruction ID: abdef16ea48d3a1e91c71ce265141fff904b537bd27498c6b41fc93786417eb5
                                      • Opcode Fuzzy Hash: a614cf457678982d29379d19b86414a1392f7d9b7ced2425db3825344d454d6c
                                      • Instruction Fuzzy Hash: 1B015AB5B082229FDB06DF20CA599BD7BB1FB85668B1D4458D80157F80DF34AA0ADBC1
                                      Function 6C799E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: $!$@
                                      • API String ID: 3519838083-2517134481
                                      • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                      • Instruction ID: b2660d57c85239beef097a54ae3033f904d11d87853a7b552dddfbb216acb7bb
                                      • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                      • Instruction Fuzzy Hash: CE12AC70D06249DFCF04CFA8D684ADEBBB1FF58318F148069E449ABB52DB31A945CB60
                                      Function 6C765B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog__aulldiv
                                      • String ID: $SJ
                                      • API String ID: 4125985754-3948962906
                                      • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                      • Instruction ID: 0bfd24b7e47ee17fa2145c8dbf3a024078844ca696da589578ad24c61b6f1b65
                                      • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                      • Instruction Fuzzy Hash: A3B18EB1D0020ADFCB54CFA6DAC49AEBBB5FF48318F60852ED815A7B51C730AA44DB50
                                      Function 6C5E2020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6C71AA17: __EH_prolog3.LIBCMT ref: 6C71AA1E
                                        • Part of subcall function 6C71AA17: std::_Lockit::_Lockit.LIBCPMT ref: 6C71AA29
                                        • Part of subcall function 6C71AA17: std::locale::_Setgloballocale.LIBCPMT ref: 6C71AA44
                                        • Part of subcall function 6C71AA17: _Yarn.LIBCPMT ref: 6C71AA5A
                                        • Part of subcall function 6C71AA17: std::_Lockit::~_Lockit.LIBCPMT ref: 6C71AA97
                                        • Part of subcall function 6C5E2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C5E2F95
                                        • Part of subcall function 6C5E2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C5E2FAF
                                        • Part of subcall function 6C5E2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C5E2FD0
                                        • Part of subcall function 6C5E2F60: __Getctype.LIBCPMT ref: 6C5E3084
                                        • Part of subcall function 6C5E2F60: std::_Facet_Register.LIBCPMT ref: 6C5E309C
                                        • Part of subcall function 6C5E2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C5E30B7
                                      • std::ios_base::_Addstd.LIBCPMT ref: 6C5E211B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                      • API String ID: 3332196525-1866435925
                                      • Opcode ID: 04d8ec192ce0986a42542055c0b6a918985e023e5b85f10ec2472fe0c2d47874
                                      • Instruction ID: 4d85a3f0a1a101b8180a77b5ba16f5ffa298ec3204ac514c3427f94d7f61f725
                                      • Opcode Fuzzy Hash: 04d8ec192ce0986a42542055c0b6a918985e023e5b85f10ec2472fe0c2d47874
                                      • Instruction Fuzzy Hash: ED419EB1A0030A9FDB04CF64CC497AABBB1FF48314F148268E919AB791E7759985CF91
                                      Function 6C780584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: 0$LrJ$x
                                      • API String ID: 3519838083-658305261
                                      • Opcode ID: 95611479d40a215ec944db407e0a8f4bd880271165c87792ba86edb23d6a866c
                                      • Instruction ID: bfcd1eefe0b587db6274f97fc66205d46d5a65eafca24330a91e7f464ee694b9
                                      • Opcode Fuzzy Hash: 95611479d40a215ec944db407e0a8f4bd880271165c87792ba86edb23d6a866c
                                      • Instruction Fuzzy Hash: 81214D36D02119DBCF04DBD8DA98AEEB7B5EF98309F20406AD51177680DB755E08CBA1
                                      Function 6C777EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6C777ECC
                                        • Part of subcall function 6C76258A: __EH_prolog.LIBCMT ref: 6C76258F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: :hJ$dJ$xJ
                                      • API String ID: 3519838083-2437443688
                                      • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                      • Instruction ID: 8ea575644e39ffe8a51624c103b702d53c09a181233bc76804e33c6c9039897d
                                      • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                      • Instruction Fuzzy Hash: A621DAB1801B40CFC761CF6AC14828ABBF4BF29708B40C95EC0EA97B11D7B8A509CF59
                                      Function 6C72E480 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C72E7C0,6C5E1DEA,00008000,6C72E7C0,?,?,?,6C72E36F,6C72E7C0,?,00000000,6C5E1DEA), ref: 6C72E4B9
                                      • GetLastError.KERNEL32(?,?,?,6C72E36F,6C72E7C0,?,00000000,6C5E1DEA,?,6C737D8E,6C72E7C0,000000FF,000000FF,00000002,00008000,6C72E7C0), ref: 6C72E4C3
                                      • __dosmaperr.LIBCMT ref: 6C72E4CA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: ErrorFileLastPointer__dosmaperr
                                      • String ID: 8Q
                                      • API String ID: 2336955059-4022487301
                                      • Opcode ID: bb23c3328b5a48830711d699271df5f9d06f360a57a80c2880ddc814364b70e7
                                      • Instruction ID: 7dae13bcb712963987aac80012fc9775004a6951eb830397d0ead261a657784a
                                      • Opcode Fuzzy Hash: bb23c3328b5a48830711d699271df5f9d06f360a57a80c2880ddc814364b70e7
                                      • Instruction Fuzzy Hash: 77014C33710519ABCB059F69CD09C9D7B3EEBC6335B244219F8209B780EA35D901C7E0
                                      Function 6C7961B5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6C7961BA
                                        • Part of subcall function 6C796269: __EH_prolog.LIBCMT ref: 6C79626E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: J$0J$DJ
                                      • API String ID: 3519838083-3152824450
                                      • Opcode ID: ae61c101c46c5c8fb0edf6ab07ecac335665618d15e9b15e4cd2ad5cdca4aa88
                                      • Instruction ID: 6c5536bf9693cbb1e46098e04b170e794078a2ba09b35f9890f1b6e541567f1b
                                      • Opcode Fuzzy Hash: ae61c101c46c5c8fb0edf6ab07ecac335665618d15e9b15e4cd2ad5cdca4aa88
                                      • Instruction Fuzzy Hash: 691104B1901B50CFC720CF5AC5986D6FBE0FB25304F50C96ED0AA87712C7B4A508CB64
                                      Function 6C76ED0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: <J$DJ$HJ$TJ$]
                                      • API String ID: 0-686860805
                                      • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                      • Instruction ID: 0f5d2cc12c31335bb9af1c8e25d8fac12dcf49ca1e9ae073d6537c8c83d33a3b
                                      • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                      • Instruction Fuzzy Hash: DF41E570C0124DAFDF14DBA2DA988EEB774AF1030CB60C06DD46127E50EB35A64DCBA1
                                      Function 6C7BC300 Relevance: 6.3, Strings: 5, Instructions: 49COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ,3K$,3K@3KP3K$@3K$P3K$p3K
                                      • API String ID: 0-3393562052
                                      • Opcode ID: 56e76445033a99da05fe192590a15bb20ec13d4a39ad9bab330bef12182d4e5a
                                      • Instruction ID: 96aecf23435f88dbd243fb650b6befda2b8db158fce49c2c5b9140bc7122aa5b
                                      • Opcode Fuzzy Hash: 56e76445033a99da05fe192590a15bb20ec13d4a39ad9bab330bef12182d4e5a
                                      • Instruction Fuzzy Hash: 662106B1580B419FC320CF26C58978BFBF4FB15754F50DA2ED5AA57A41C7B8A208CB98
                                      Function 6C7280A2 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,?,6C722654,6C749DD0,0000000C), ref: 6C7280A7
                                      • _free.LIBCMT ref: 6C728104
                                      • _free.LIBCMT ref: 6C72813A
                                      • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6C722654,6C749DD0,0000000C), ref: 6C728145
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: ErrorLast_free
                                      • String ID:
                                      • API String ID: 2283115069-0
                                      • Opcode ID: c6a3207ce5d342f76203a2439c244511d4bb2116357700829f9958115152d1ea
                                      • Instruction ID: 7f3d68671f398d1048939e17cf553ac757dfaae33f03347daf628cb12faf20c1
                                      • Opcode Fuzzy Hash: c6a3207ce5d342f76203a2439c244511d4bb2116357700829f9958115152d1ea
                                      • Instruction Fuzzy Hash: 78118A73704601ABDB2119758F8DD5B23ADEBC22BDB25463AF52492EC0EF2F8C05C250
                                      Function 6C7395AA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • WriteConsoleW.KERNEL32(00000000,?,6C737DDC,00000000,00000000,?,6C738241,00000000,00000001,00000000,6C72E7C0,?,6C72F976,?,?,6C72E7C0), ref: 6C7395C1
                                      • GetLastError.KERNEL32(?,6C738241,00000000,00000001,00000000,6C72E7C0,?,6C72F976,?,?,6C72E7C0,?,6C72E7C0,?,6C72F40C,6C7391A6), ref: 6C7395CD
                                        • Part of subcall function 6C73961E: CloseHandle.KERNEL32(FFFFFFFE,6C7395DD,?,6C738241,00000000,00000001,00000000,6C72E7C0,?,6C72F976,?,?,6C72E7C0,?,6C72E7C0), ref: 6C73962E
                                      • ___initconout.LIBCMT ref: 6C7395DD
                                        • Part of subcall function 6C7395FF: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C73959B,6C73822E,6C72E7C0,?,6C72F976,?,?,6C72E7C0,?), ref: 6C739612
                                      • WriteConsoleW.KERNEL32(00000000,?,6C737DDC,00000000,?,6C738241,00000000,00000001,00000000,6C72E7C0,?,6C72F976,?,?,6C72E7C0,?), ref: 6C7395F2
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                      • String ID:
                                      • API String ID: 2744216297-0
                                      • Opcode ID: 7d4f7942d3a6179216124cdfa7d8b5f9ba7c11f5a60dfc26ae2aa59c0c664ff2
                                      • Instruction ID: d890e58243fe57ca3411c870ade182cd3bf0d6aa2b3b653c2c47b3caaa4335bf
                                      • Opcode Fuzzy Hash: 7d4f7942d3a6179216124cdfa7d8b5f9ba7c11f5a60dfc26ae2aa59c0c664ff2
                                      • Instruction Fuzzy Hash: CAF03736201125FBCF121F91CC499893F76FF06775B045570F90E95551DF328860DB91
                                      Function 6C7A6BED Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 373COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: x'K$|'K
                                      • API String ID: 3519838083-1041342148
                                      • Opcode ID: a25bbfd597e839604be9dc74c608115d2298b3d137bba62e84176c22df84cc64
                                      • Instruction ID: 7ae78f60fe0249ef8cce80dc5efefebc6d9ad7023a8e07410b59d3806968df93
                                      • Opcode Fuzzy Hash: a25bbfd597e839604be9dc74c608115d2298b3d137bba62e84176c22df84cc64
                                      • Instruction Fuzzy Hash: 4DD10630944646AACB20DBE8CB58AEFBBB1FF01308F20472DD0A693D94DB65664FC751
                                      Function 6C726814 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog3_
                                      • String ID: 8Q
                                      • API String ID: 2427045233-4022487301
                                      • Opcode ID: fb62b8b3544d4421d7e004f24d406a644d618526b9511e172b1e4aacdc3fe90c
                                      • Instruction ID: b21e7687e3ec0db41619040117ccd8277257cb342496cdbf77f6253c82f46660
                                      • Opcode Fuzzy Hash: fb62b8b3544d4421d7e004f24d406a644d618526b9511e172b1e4aacdc3fe90c
                                      • Instruction Fuzzy Hash: 0C71E671D452169BDF108F95CA846EE7A75FF45318F24823BE820E7A40DB79CA45CBA0
                                      Function 6C776C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: @$hfJ
                                      • API String ID: 3519838083-1391159562
                                      • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                      • Instruction ID: 311c9f47dbe516736963dfae9b2cc3ab287ceb69ee5c0abac0e247dbee90c657
                                      • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                      • Instruction Fuzzy Hash: 8F912970910249DFCF20DFA9CA989DEFBB4BF19308F54452EE455E7A90D770AA48CB21
                                      Function 6C76BC58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6C76BC5D
                                        • Part of subcall function 6C76A61A: __EH_prolog.LIBCMT ref: 6C76A61F
                                        • Part of subcall function 6C76AA2E: __EH_prolog.LIBCMT ref: 6C76AA33
                                        • Part of subcall function 6C76BEA5: __EH_prolog.LIBCMT ref: 6C76BEAA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: WZJ
                                      • API String ID: 3519838083-1089469559
                                      • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                      • Instruction ID: 8ebd1173d8d4f6eb700d288e07952e8c19f3ebe9e816f3908a3eed4e818bc054
                                      • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                      • Instruction Fuzzy Hash: 03819131D00158DFCF15DFA9D698ADDBBB4AF19318F1080A9E91277B91DB30AE09DB60
                                      Function 6C772F9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: <dJ$Q
                                      • API String ID: 3519838083-2252229148
                                      • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                      • Instruction ID: b9552d5c10a7515b1a0b740a5d42811920adba9444e3d0d422f69886ab9eb21c
                                      • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                      • Instruction Fuzzy Hash: 3B518F7190464EEFCF11DFD8CA888EDB7B2BF49318F10852EE525AB650D7319A49CB20
                                      Function 6C76E9B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: $D^J
                                      • API String ID: 3519838083-3977321784
                                      • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                      • Instruction ID: e11821ab6bd6fb4acfaf9944ecdfc8f7a8a01e426e27c657ee087e3c5e750c6a
                                      • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                      • Instruction Fuzzy Hash: EC415F209055A85ED7169B3A8E58BFCBBA27F17308F18C179CC9647EC1D764188AC7F0
                                      Function 6C780B66 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: 8)L$8)L
                                      • API String ID: 3519838083-2235878380
                                      • Opcode ID: 1ee38908214ddba89c01b11f8f662c4b80f228d5f64c7dd9e77453d2deb43dcf
                                      • Instruction ID: c5544d2bc0d1a417499300f1e895fbe7afb4d6f71372ad794de359ec8acc82a4
                                      • Opcode Fuzzy Hash: 1ee38908214ddba89c01b11f8f662c4b80f228d5f64c7dd9e77453d2deb43dcf
                                      • Instruction Fuzzy Hash: 6951B132203640CFD7149F64CA98ADABBF2FF45308F50857ED29A87A60DB317848CB54
                                      Function 6C77E606 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: qJ$#
                                      • API String ID: 3519838083-4209149730
                                      • Opcode ID: e1f34668789bc69a62d5b524bab96a8de5a2ccca07942ae6dd88fce0d8712790
                                      • Instruction ID: 8d0373a7a7ad063cd0cb1862ec8d4bb8d99abb0f21f672a22898316949f7a457
                                      • Opcode Fuzzy Hash: e1f34668789bc69a62d5b524bab96a8de5a2ccca07942ae6dd88fce0d8712790
                                      • Instruction Fuzzy Hash: 28516A75A0024DDFCF20CFA8C6849DDBBB5BF09328F148158E811AB791D735EA19CBA1
                                      Function 6C7305EE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C737DC6), ref: 6C73070B
                                      • __dosmaperr.LIBCMT ref: 6C730712
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: ErrorLast__dosmaperr
                                      • String ID: 8Q
                                      • API String ID: 1659562826-4022487301
                                      • Opcode ID: b761167a8b4ab9d8d163d866cbd019867bd6dbb2ea72a9a69ec931b0d021c0e5
                                      • Instruction ID: 253ed0ce32ea8e0ace4aa70de922fa1559bd4c62249653b98f0bd3187d06df8d
                                      • Opcode Fuzzy Hash: b761167a8b4ab9d8d163d866cbd019867bd6dbb2ea72a9a69ec931b0d021c0e5
                                      • Instruction Fuzzy Hash: 6F417E717141E5EFDB118F28CA85BA97FE6EF86318F185165D8888BA47D3319C11C790
                                      Function 6C5E26E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: _strlen
                                      • String ID: U#^l$q!^l
                                      • API String ID: 4218353326-462952362
                                      • Opcode ID: dc03f98af8002d1601e0afc6dfe3fdf5b3583f4a0d90d9441019f03aa0a6bdfe
                                      • Instruction ID: f00e6b3749b38ef18dd57a5f854f0398c7e07d445d272b186d155949bc3e86e3
                                      • Opcode Fuzzy Hash: dc03f98af8002d1601e0afc6dfe3fdf5b3583f4a0d90d9441019f03aa0a6bdfe
                                      • Instruction Fuzzy Hash: D541C7B2C002199BCB00DFA4DD88BDEBBB9FF48364F150525E805A7B40E7319948CBE1
                                      Function 6C78812C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: X&L$p|J
                                      • API String ID: 3519838083-2944591232
                                      • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                      • Instruction ID: 693e54b52fd8ae55dfb8feb795703ac1d05300001b891be9b5e1164098fd687b
                                      • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                      • Instruction Fuzzy Hash: A9314C35A87505CBD700DB5CDF09BA97771EB01758F20823BD710A6EA3CF609989CA54
                                      Function 6C787C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: 0|J$`)L
                                      • API String ID: 3519838083-117937767
                                      • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                      • Instruction ID: 86567b9a8d0a04a5c8069aa52437586f77ba1af80aec5c1fa241bc3458ce3216
                                      • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                      • Instruction Fuzzy Hash: 6F41A271702745DFCB119F64CA987EABBE2FF45209F00847EE15A97750CB316908CB92
                                      Function 6C78ACB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: __aulldiv
                                      • String ID: 3333
                                      • API String ID: 3732870572-2924271548
                                      • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                      • Instruction ID: ced343c5978db1f3ddb836ba63f44842b6e8a1569eabc1d6b209a13cb52e10e2
                                      • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                      • Instruction Fuzzy Hash: 4E21E5B19017046ED720CFB98989B5BFBFCEB88725F10C92EA186D7B40D770A9048B65
                                      Function 6C77E77E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: #$4qJ
                                      • API String ID: 3519838083-3965466581
                                      • Opcode ID: 84a8eb9074b6f9089a1fd02d6bcb4d7259a4313f9f2765f71615d484bdca8079
                                      • Instruction ID: 2a60d8afcfd5974386e16857e3a0b6580f2be91df48ca5e073432bd17b8ec251
                                      • Opcode Fuzzy Hash: 84a8eb9074b6f9089a1fd02d6bcb4d7259a4313f9f2765f71615d484bdca8079
                                      • Instruction Fuzzy Hash: FA31BD35A0421DDFEF20CF66CA44AEE73B9AF45318F048169E811ABB50D774AD05CBE0
                                      Function 6C783906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: @$LuJ
                                      • API String ID: 3519838083-205571748
                                      • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                      • Instruction ID: 5053b987c87b924f6f2b52c5f5e006dbfa3aa2716ee819c364d4c5ff1628d93f
                                      • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                      • Instruction Fuzzy Hash: 23016D72E02209DADB10DFAD89845AEFBB4FF59708F40843EE569E3A41D3749904CB99
                                      Function 6C731418 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 6C731439
                                      • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C72DD2A,?,00000004,?,4B42FCB6,?,?,6C722E7C,4B42FCB6,?), ref: 6C731475
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2191322409.000000006C591000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C590000, based on PE: true
                                      • Associated: 00000006.00000002.2191296599.000000006C590000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192460282.000000006C73B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193891551.000000006C907000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: AllocHeap_free
                                      • String ID: 8Q
                                      • API String ID: 1080816511-4022487301
                                      • Opcode ID: 06d0bb22d6674fe8983202ea02f98e7d24f4f4d8acc76587fc74975d9f0dd75b
                                      • Instruction ID: 2495673af69903264692f4db92e9b1b220fdeebd431afa0d5339927854b77e12
                                      • Opcode Fuzzy Hash: 06d0bb22d6674fe8983202ea02f98e7d24f4f4d8acc76587fc74975d9f0dd75b
                                      • Instruction Fuzzy Hash: DBF0F63260113167DB211A269F0CB8B376D9FC2BB8B159136EC3D97A82DF24D80581A1
                                      Function 6C782741 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6C782746
                                        • Part of subcall function 6C7827BF: __EH_prolog.LIBCMT ref: 6C7827C4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: urxl$sJ
                                      • API String ID: 3519838083-841598807
                                      • Opcode ID: 479f86800d12ad63e1b8ae242903cd26d6f9166e8cc8054c33d6365a60c3e9bf
                                      • Instruction ID: 997ca4bd96dc7c4b9b5ff5d062a573507674042fd963a924f24f39dc8c4a0aa2
                                      • Opcode Fuzzy Hash: 479f86800d12ad63e1b8ae242903cd26d6f9166e8cc8054c33d6365a60c3e9bf
                                      • Instruction Fuzzy Hash: F701A231A00014ABCF01BBA9CA4CAED7F76AF94719F00802AE64152690CF744949CBD5
                                      Function 6C790180 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6C790185
                                        • Part of subcall function 6C79022B: __EH_prolog.LIBCMT ref: 6C790230
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: J$0J
                                      • API String ID: 3519838083-2882003284
                                      • Opcode ID: 5025c659522292fd6d13656942a962c3f91794ff08eea141c4429de393d252e1
                                      • Instruction ID: 1be8603ddefe18d765a1a6eb9b88e87fc6bb5aa756a5cffdffe5b57fcda9bd0b
                                      • Opcode Fuzzy Hash: 5025c659522292fd6d13656942a962c3f91794ff08eea141c4429de393d252e1
                                      • Instruction Fuzzy Hash: A011A2B0911B108BC3248F2AC5581D6FBF8FFA5714F40C91FC4AA87B20C7B8A5488F98
                                      Function 6C78DFC7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6C78DFCC
                                        • Part of subcall function 6C78D4D1: __EH_prolog.LIBCMT ref: 6C78D4D6
                                        • Part of subcall function 6C78C14B: __EH_prolog.LIBCMT ref: 6C78C150
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: J$0J
                                      • API String ID: 3519838083-2882003284
                                      • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                      • Instruction ID: 197366561ec88c7ec1462f85e99fe17753bf04b333fbf91b9e1270c88dcd39d4
                                      • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                      • Instruction Fuzzy Hash: B70105B1801B51CFC325CF56C5A82CAFBE0BB15304F90CD6EC1AA57B50D7B8A508CB68
                                      Function 6C7AE434 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6C7AE439
                                        • Part of subcall function 6C7AE4BA: __EH_prolog.LIBCMT ref: 6C7AE4BF
                                        • Part of subcall function 6C79022B: __EH_prolog.LIBCMT ref: 6C790230
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: D.K$T.K
                                      • API String ID: 3519838083-2437000251
                                      • Opcode ID: 4bf8c15ffd7a86929b4665866baf81e9eeb815ebced635067bbf52e837154634
                                      • Instruction ID: 789abbf55ac81f40cf5c4951ab93c9742aa68709d9bdf57b4ca0c366ab0a907d
                                      • Opcode Fuzzy Hash: 4bf8c15ffd7a86929b4665866baf81e9eeb815ebced635067bbf52e837154634
                                      • Instruction Fuzzy Hash: 53012171911755CFC724CFA9C6182CABBF4AF19704F10CD1EC0AA97B40D7B4A608CB95
                                      Function 6C780425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: 8)L$8rJ
                                      • API String ID: 3519838083-896068166
                                      • Opcode ID: 31b7b83379da487e0b0fee470bf6f7791c36dd68afdddb73284a070326b97c38
                                      • Instruction ID: 08e3627cc5a2e7f2c862c390670da61e400bbd0bfee8a9a7dc8958340826f9dc
                                      • Opcode Fuzzy Hash: 31b7b83379da487e0b0fee470bf6f7791c36dd68afdddb73284a070326b97c38
                                      • Instruction Fuzzy Hash: CCF03A76A05114EFC700CF98C949ADEBBF8FF5A354F14806AF405A7211C7B89A04CBA5
                                      Function 6C786431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prologctype
                                      • String ID: |zJ
                                      • API String ID: 3037903784-3782439380
                                      • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                      • Instruction ID: b7fec8961c553456af5db0695233005cfb00866cf731930251532d0d71084bf9
                                      • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                      • Instruction Fuzzy Hash: 86E0E572613120ABE7048B48CA08BDDF3A4FF54718F10403F9126E7A41CBF0AA048785
                                      Function 6C78A4CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prologctype
                                      • String ID: \~J
                                      • API String ID: 3037903784-3176329776
                                      • Opcode ID: 46757733936a42b96b936dd1dab949ec9d96d52f22713a54e894f9e80fe70f1d
                                      • Instruction ID: cce3ba11d24225027f5c34c5b2701363bab8c97678a42d0d40b10ce80cc94b5f
                                      • Opcode Fuzzy Hash: 46757733936a42b96b936dd1dab949ec9d96d52f22713a54e894f9e80fe70f1d
                                      • Instruction Fuzzy Hash: 51E06D32A06511DBDB249F4DDA18BDEF3A4EF54B38F10816E9025A7A91CBB1A8148694
                                      Function 6C78C0DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6C78C0E0
                                        • Part of subcall function 6C78C14B: __EH_prolog.LIBCMT ref: 6C78C150
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: J$0J
                                      • API String ID: 3519838083-2882003284
                                      • Opcode ID: 235f570c22735095cf226f139ec23b8166c83fec4b7bd0089cfa702e7a6a385e
                                      • Instruction ID: c04ade85f05b1727f1a325df30360f78eff5834881501761d44145919997df53
                                      • Opcode Fuzzy Hash: 235f570c22735095cf226f139ec23b8166c83fec4b7bd0089cfa702e7a6a385e
                                      • Instruction Fuzzy Hash: 4CF0C4B1901B51CFC724DF59D9582CABBF0FB15704B50C92F80AA97B10D7B8A548CBA8
                                      Function 6C7B24AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @ K$DJ$T)K$X/K
                                      • API String ID: 0-3815299647
                                      • Opcode ID: dac98d89fb1dd2bd8a0dcac61504098bca9fe61148d739192528eb0bc1c541c2
                                      • Instruction ID: 81d3565527bbb66ebe397f483938133d7efd9871fcf83a07f6790f7738310c3c
                                      • Opcode Fuzzy Hash: dac98d89fb1dd2bd8a0dcac61504098bca9fe61148d739192528eb0bc1c541c2
                                      • Instruction Fuzzy Hash: D291F3306063059BCB04EF74CB5C7EE77A2AF4130CF208869C9666BB86CB75A94EC755
                                      Function 6C7A7E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: D)K$H)K$P)K$T)K
                                      • API String ID: 0-2262112463
                                      • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                      • Instruction ID: 709406a8adac782ef84b69ab28c17ba422187dba1cea9b9f2a2da175bc5ccbb2
                                      • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                      • Instruction Fuzzy Hash: B251E5319042099BCF00DFE5DA48ADEB7B5EF5831DF10822AE81167A85DB719A4FC754
                                      Function 6C7C7F20 Relevance: 5.0, Strings: 4, Instructions: 27COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (?K$8?K$H?K$CK
                                      • API String ID: 0-3450752836
                                      • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                      • Instruction ID: 7bd43c81edb633108e27f833f47cf185cff73f3332dceea9a97b9c77a35748c2
                                      • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                      • Instruction Fuzzy Hash: 77F017F16017009FC360CF06D64869BBBF4EB4570AF50C91EE09A9BA40D3B8A5088FA9
                                      Function 6C7B0AAC Relevance: 5.0, Strings: 4, Instructions: 23COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2192559146.000000006C74B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C74B000, based on PE: true
                                      • Associated: 00000006.00000002.2193135171.000000006C816000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2193188267.000000006C81C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c590000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 00K$@0K$P0K$`0K
                                      • API String ID: 0-1070766156
                                      • Opcode ID: 7efb1c77604c1d1a2dcd35be8e9d5171401199da8c632a149feb581716eb9edd
                                      • Instruction ID: cc08c49e7cab151d94aeeb036fe5aa8110f11b29cf5188a6292b857041db77c5
                                      • Opcode Fuzzy Hash: 7efb1c77604c1d1a2dcd35be8e9d5171401199da8c632a149feb581716eb9edd
                                      • Instruction Fuzzy Hash: 2DF03FB14152408FD348DF1A9598A82BFE0AF95319B56C1DED0184F276C3B9CA48CFA8