Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe

Overview

General Information

Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe
renamed because original name is a hash value
Original sample name:_1.1.2.exe
Analysis ID:1580551
MD5:8af97a4879574d6e29e4e9fcd3a9bef0
SHA1:3c0fcaf35b6f6cb6eb710ccb91c691fa629430ab
SHA256:ac7a870316c9f66b5750e39592f97e58a5ae8da0f05951a5f25047b15aa88041
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe (PID: 508 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" MD5: 8AF97A4879574D6E29E4E9FCD3A9BEF0)
    • #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp (PID: 3268 cmdline: "C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp" /SL5="$203FE,8071911,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" MD5: C9B4238B2FFEC70B575E52822B8A8F70)
      • powershell.exe (PID: 2012 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 2136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 2960 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • Conhost.exe (PID: 1136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe (PID: 4232 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" /VERYSILENT MD5: 8AF97A4879574D6E29E4E9FCD3A9BEF0)
        • #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp (PID: 4616 cmdline: "C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp" /SL5="$3041A,8071911,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" /VERYSILENT MD5: C9B4238B2FFEC70B575E52822B8A8F70)
          • 7zr.exe (PID: 5256 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 4832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 5144 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 1432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 5256 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 5392 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 4184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 5144 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 5648 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
  • cmd.exe (PID: 1136 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3704 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6956 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3840 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5648 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4156 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 4876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5764 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 672 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5000 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2864 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5536 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 320 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6956 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5608 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4600 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6048 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2332 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2444 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5536 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1340 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 516 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4788 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5476 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7116 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1008 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3984 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5000 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3524 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2356 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6120 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1340 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5684 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6524 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6684 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6508 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5588 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3840 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5704 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5268 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6812 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2864 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5952 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4052 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6368 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5920 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5232 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6880 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5476 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6960 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 776 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3548 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5704 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5392 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6812 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2356 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4148 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2136 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1340 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1432 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp" /SL5="$203FE,8071911,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, ParentProcessId: 3268, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2012, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1136, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 3704, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp" /SL5="$203FE,8071911,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, ParentProcessId: 3268, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2012, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1136, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 3704, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp" /SL5="$203FE,8071911,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, ParentProcessId: 3268, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2012, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\is-IF8V3.tmp\update.vbcReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\is-R11LS.tmp\update.vbcReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeVirustotal: Detection: 9%Perma Link
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.2241114030.0000000003920000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.2241033578.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C2EE090 FindFirstFileA,FindClose,FindClose,7_2_6C2EE090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00156868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_00156868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00157496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_00157496
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000003.2207927600.0000000004020000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, hrsw.vbc.7.dr, 7zr.exe.7.dr, update.vbc.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000003.2207927600.0000000004020000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, hrsw.vbc.7.dr, 7zr.exe.7.dr, update.vbc.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000003.2207927600.0000000004020000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, hrsw.vbc.7.dr, 7zr.exe.7.dr, update.vbc.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000003.2207927600.0000000004020000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, hrsw.vbc.7.dr, 7zr.exe.7.dr, update.vbc.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000003.2207927600.0000000004020000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, hrsw.vbc.7.dr, 7zr.exe.7.dr, update.vbc.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000003.2207927600.0000000004020000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, hrsw.vbc.7.dr, 7zr.exe.7.dr, update.vbc.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000003.2207927600.0000000004020000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, hrsw.vbc.7.dr, 7zr.exe.7.dr, update.vbc.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000003.2207927600.0000000004020000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, hrsw.vbc.7.dr, 7zr.exe.7.dr, update.vbc.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000003.2207927600.0000000004020000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, hrsw.vbc.7.dr, 7zr.exe.7.dr, update.vbc.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000003.2207927600.0000000004020000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, hrsw.vbc.7.dr, 7zr.exe.7.dr, update.vbc.2.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000003.2207927600.0000000004020000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, hrsw.vbc.7.dr, 7zr.exe.7.dr, update.vbc.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000003.2207927600.0000000004020000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, hrsw.vbc.7.dr, 7zr.exe.7.dr, update.vbc.2.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000003.2207927600.0000000004020000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, hrsw.vbc.7.dr, 7zr.exe.7.dr, update.vbc.2.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000003.2207927600.0000000004020000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, hrsw.vbc.7.dr, 7zr.exe.7.dr, update.vbc.2.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000003.2207927600.0000000004020000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, hrsw.vbc.7.dr, 7zr.exe.7.dr, update.vbc.2.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000003.2207927600.0000000004020000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, hrsw.vbc.7.dr, 7zr.exe.7.dr, update.vbc.2.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000003.2207927600.0000000004020000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, hrsw.vbc.7.dr, 7zr.exe.7.dr, update.vbc.2.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000003.2207927600.0000000004020000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, hrsw.vbc.7.dr, 7zr.exe.7.dr, update.vbc.2.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000003.2207927600.0000000004020000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, hrsw.vbc.7.dr, 7zr.exe.7.dr, update.vbc.2.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, 00000000.00000003.2120481690.000000007F0EB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, 00000000.00000003.2119795728.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000000.2121975249.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000000.2211248489.000000000066D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.6.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, 00000000.00000003.2120481690.000000007F0EB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, 00000000.00000003.2119795728.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000000.2121975249.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000000.2211248489.000000000066D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.6.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: update.vbc.2.drStatic PE information: section name: .aQ#
Source: update.vbc.7.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.7.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C2F8810 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,7_2_6C2F8810
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C173886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C173886
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C173C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C173C62
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C2F9450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,7_2_6C2F9450
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C173D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C173D18
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C173D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C173D62
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C1739CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C1739CF
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C173A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C173A6A
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C171950: CreateFileA,DeviceIoControl,CloseHandle,7_2_6C171950
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C174754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,7_2_6C174754
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C1747547_2_6C174754
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C4D8D127_2_6C4D8D12
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C444F0A7_2_6C444F0A
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C4CB06F7_2_6C4CB06F
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C2F48607_2_6C2F4860
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C4638817_2_6C463881
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C2FA1337_2_6C2FA133
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C407A467_2_6C407A46
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C47CB307_2_6C47CB30
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3A6D507_2_6C3A6D50
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C37AD437_2_6C37AD43
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3C8D907_2_6C3C8D90
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3ACE807_2_6C3ACE80
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C384F117_2_6C384F11
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C39889F7_2_6C39889F
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3BA8C87_2_6C3BA8C8
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3AC9F07_2_6C3AC9F0
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3A2A507_2_6C3A2A50
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3A4AA07_2_6C3A4AA0
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3A0AD07_2_6C3A0AD0
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C34840A7_2_6C34840A
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3725EC7_2_6C3725EC
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3B25C07_2_6C3B25C0
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C39E6507_2_6C39E650
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3C26407_2_6C3C2640
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3AC6E07_2_6C3AC6E0
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3CC7007_2_6C3CC700
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3C67C07_2_6C3C67C0
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3B20507_2_6C3B2050
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3460927_2_6C346092
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3AA1F07_2_6C3AA1F0
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3B02807_2_6C3B0280
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3B03807_2_6C3B0380
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C359CE07_2_6C359CE0
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3A9D107_2_6C3A9D10
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3C7DE07_2_6C3C7DE0
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C32BEA17_2_6C32BEA1
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3B1EF07_2_6C3B1EF0
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C37DEEF7_2_6C37DEEF
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C345EC97_2_6C345EC9
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3B98207_2_6C3B9820
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3A18107_2_6C3A1810
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3C78707_2_6C3C7870
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3778967_2_6C377896
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3BF8D07_2_6C3BF8D0
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3BD9307_2_6C3BD930
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3A99007_2_6C3A9900
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C32B9727_2_6C32B972
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3BB9507_2_6C3BB950
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3C99997_2_6C3C9999
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C383A527_2_6C383A52
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3B7AA07_2_6C3B7AA0
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C343B667_2_6C343B66
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C39DB907_2_6C39DB90
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C333BCA7_2_6C333BCA
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3C1BC07_2_6C3C1BC0
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C38B4AC7_2_6C38B4AC
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3B74897_2_6C3B7489
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3B14D07_2_6C3B14D0
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3955217_2_6C395521
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3BB5207_2_6C3BB520
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3AF5807_2_6C3AF580
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3A55807_2_6C3A5580
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3A75D07_2_6C3A75D0
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3C16007_2_6C3C1600
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3C76C07_2_6C3C76C0
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3B97A07_2_6C3B97A0
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C38F7F37_2_6C38F7F3
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3C97C07_2_6C3C97C0
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C32F7CF7_2_6C32F7CF
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3A30207_2_6C3A3020
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3B10E07_2_6C3B10E0
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3BB2007_2_6C3BB200
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3BF2A07_2_6C3BF2A0
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3B67507_2_6C3B6750
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3B9AF07_2_6C3B9AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001981EC11_2_001981EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001D81C011_2_001D81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001C425011_2_001C4250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001E824011_2_001E8240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001EC3C011_2_001EC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001E04C811_2_001E04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001C865011_2_001C8650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001CC95011_2_001CC950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001A094311_2_001A0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001C8C2011_2_001C8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001E0E0011_2_001E0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001E4EA011_2_001E4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001DD08911_2_001DD089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001B10AC11_2_001B10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001E112011_2_001E1120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001D518011_2_001D5180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001CD1D011_2_001CD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001E91C011_2_001E91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001ED2C011_2_001ED2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001553CF11_2_001553CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001B53F311_2_001B53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001ED47011_2_001ED470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0019D49611_2_0019D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001E54D011_2_001E54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001E155011_2_001E1550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0015157211_2_00151572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001A965211_2_001A9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001DD6A011_2_001DD6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0016976611_2_00169766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001597CA11_2_001597CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001ED9E011_2_001ED9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00151AA111_2_00151AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001D5E8011_2_001D5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001D5F8011_2_001D5F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0016E00A11_2_0016E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001D22E011_2_001D22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001F230011_2_001F2300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001BE49F11_2_001BE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001D25F011_2_001D25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001CA6A011_2_001CA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001C66D011_2_001C66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001EE99011_2_001EE990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001D2A8011_2_001D2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001AAB1111_2_001AAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001D6CE011_2_001D6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001D70D011_2_001D70D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001BB12111_2_001BB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001CB18011_2_001CB180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001E720011_2_001E7200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001DF3A011_2_001DF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001EF3C011_2_001EF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0017B3E411_2_0017B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001C741011_2_001C7410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001DF42011_2_001DF420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001F351A11_2_001F351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001CF50011_2_001CF500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001E353011_2_001E3530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001EF59911_2_001EF599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001F360111_2_001F3601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001C379011_2_001C3790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001E77C011_2_001E77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0017F8E011_2_0017F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001CF91011_2_001CF910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0016BAC911_2_0016BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001D7AF011_2_001D7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001A3AEF11_2_001A3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001D7C5011_2_001D7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0016BC9211_2_0016BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001CFDF011_2_001CFDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 001EFB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 001528E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00151E40 appears 152 times
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: String function: 6C3C9F10 appears 727 times
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: String function: 6C32C240 appears 53 times
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.6.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.6.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, 00000000.00000000.2118310293.0000000000239000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameOtgA1A8ax7m.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, 00000000.00000003.2120481690.000000007F3EA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameOtgA1A8ax7m.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, 00000000.00000003.2119795728.00000000030CE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameOtgA1A8ax7m.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeBinary or memory string: OriginalFileNameOtgA1A8ax7m.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.13.drBinary string: \Device\TfSysMon
Source: tProtect.dll.13.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal92.evad.winEXE@135/31@0/0
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C2F9450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,7_2_6C2F9450
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00159313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,11_2_00159313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00163D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_00163D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00159252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,11_2_00159252
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C2F8930 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,Process32NextW,7_2_6C2F8930
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpFile created: C:\Program Files (x86)\Windows NT\is-FLD24.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5916:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5552:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:988:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5236:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4876:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4184:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4156:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6508:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:800:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6496:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5268:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3212:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6120:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2924:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5952:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1088:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6992:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2732:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2136:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5492:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2896:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6516:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4832:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3476:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1464:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1432:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1668:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1056:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2820:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3984:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2356:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeFile created: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeVirustotal: Detection: 9%
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp "C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp" /SL5="$203FE,8071911,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe"
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp "C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp" /SL5="$3041A,8071911,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp "C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp" /SL5="$203FE,8071911,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp "C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp" /SL5="$3041A,8071911,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeStatic file information: File size 9026305 > 1048576
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.2241114030.0000000003920000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.2241033578.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001D57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_001D57D0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeStatic PE information: real checksum: 0x0 should be: 0x89f7e2
Source: update.vbc.7.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: update.vbc.2.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.6.drStatic PE information: real checksum: 0x0 should be: 0x3436dd
Source: hrsw.vbc.7.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: tProtect.dll.13.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x3436dd
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.0.drStatic PE information: section name: .didata
Source: update.vbc.2.drStatic PE information: section name: .00cfg
Source: update.vbc.2.drStatic PE information: section name: .voltbl
Source: update.vbc.2.drStatic PE information: section name: .aQ#
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.6.drStatic PE information: section name: .didata
Source: 7zr.exe.7.drStatic PE information: section name: .sxdata
Source: update.vbc.7.drStatic PE information: section name: .00cfg
Source: update.vbc.7.drStatic PE information: section name: .voltbl
Source: update.vbc.7.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.7.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.7.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.7.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C2FBDDB push ecx; ret 7_2_6C2FBDEE
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C32E9F4 push 004AC35Ch; ret 7_2_6C32EA0E
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3CA290 push eax; ret 7_2_6C3CA2BE
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3C9F10 push eax; ret 7_2_6C3C9F2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001545F4 push 001FC35Ch; ret 11_2_0015460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001EFB10 push eax; ret 11_2_001EFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001EFE90 push eax; ret 11_2_001EFEBE
Source: update.vbc.2.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: update.vbc.7.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: hrsw.vbc.7.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-R11LS.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-IF8V3.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-R11LS.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-IF8V3.tmp\update.vbcJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeFile created: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeFile created: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-IF8V3.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-R11LS.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6507Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3326Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpWindow / User API: threadDelayed 630Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpWindow / User API: threadDelayed 599Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpWindow / User API: threadDelayed 545Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-R11LS.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IF8V3.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-R11LS.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IF8V3.tmp\update.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.3 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2820Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C2EE090 FindFirstFileA,FindClose,FindClose,7_2_6C2EE090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00156868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_00156868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00157496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_00157496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00159C60 GetSystemInfo,11_2_00159C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000002.2218980758.000000000118D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C173886 NtSetInformationThread 00000000,00000011,00000000,000000007_2_6C173886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C303871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6C303871
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001D57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_001D57D0
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C30D425 mov eax, dword ptr fs:[00000030h]7_2_6C30D425
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C30D456 mov eax, dword ptr fs:[00000030h]7_2_6C30D456
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C30286D mov eax, dword ptr fs:[00000030h]7_2_6C30286D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C303871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6C303871
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C2FC3AD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_6C2FC3AD

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.13.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmpCode function: 7_2_6C3CA720 cpuid 7_2_6C3CA720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0015AB2A GetSystemTimeAsFileTime,11_2_0015AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001F0090 GetVersion,11_2_001F0090

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory421
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager231
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580551 Sample: #U5b89#U88c5#U7a0b#U5e8f_1.... Startdate: 25/12/2024 Architecture: WINDOWS Score: 92 105 Multi AV Scanner detection for dropped file 2->105 107 Multi AV Scanner detection for submitted file 2->107 109 Found driver which could be used to inject code into processes 2->109 111 2 other signatures 2->111 11 #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe 2 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 28 other processes 2->18 process3 file4 103 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, PE32 11->103 dropped 20 #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp 3 5 11->20         started        24 sc.exe 1 14->24         started        26 conhost.exe 14->26         started        28 sc.exe 1 16->28         started        30 sc.exe 1 18->30         started        32 sc.exe 1 18->32         started        34 sc.exe 1 18->34         started        36 24 other processes 18->36 process5 file6 87 C:\Users\user\AppData\Local\...\update.vbc, PE32 20->87 dropped 89 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->89 dropped 113 Adds a directory exclusion to Windows Defender 20->113 38 #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe 2 20->38         started        41 powershell.exe 23 20->41         started        44 conhost.exe 24->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 conhost.exe 36->54         started        56 23 other processes 36->56 signatures7 process8 file9 93 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, PE32 38->93 dropped 58 #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp 4 15 38->58         started        115 Loading BitLocker PowerShell Module 41->115 62 conhost.exe 41->62         started        64 WmiPrvSE.exe 41->64         started        66 Conhost.exe 41->66         started        signatures10 process11 file12 95 C:\Users\user\AppData\Local\...\update.vbc, PE32 58->95 dropped 97 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 58->97 dropped 99 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 58->99 dropped 101 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 58->101 dropped 117 Query firmware table information (likely to detect VMs) 58->117 119 Protects its processes via BreakOnTermination flag 58->119 121 Hides threads from debuggers 58->121 123 Contains functionality to hide a thread from the debugger 58->123 68 7zr.exe 2 58->68         started        71 cmd.exe 58->71         started        73 7zr.exe 7 58->73         started        75 cmd.exe 58->75         started        signatures13 process14 file15 91 C:\Program Files (x86)\...\tProtect.dll, PE32+ 68->91 dropped 77 conhost.exe 68->77         started        79 sc.exe 71->79         started        81 conhost.exe 73->81         started        83 sc.exe 75->83         started        process16 process17 85 conhost.exe 79->85         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe5%ReversingLabsWin32.Ransomware.Generic
#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe10%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc26%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-IF8V3.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-IF8V3.tmp\update.vbc26%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-R11LS.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-R11LS.tmp\update.vbc26%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exefalse
    		high
    https://www.remobjects.com/ps#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, 00000000.00000003.2120481690.000000007F0EB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, 00000000.00000003.2119795728.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000000.2121975249.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000000.2211248489.000000000066D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.6.drfalse
      		high
      https://www.innosetup.com/#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, 00000000.00000003.2120481690.000000007F0EB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, 00000000.00000003.2119795728.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000002.00000000.2121975249.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp, 00000007.00000000.2211248489.000000000066D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp.6.drfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580551
        Start date and time:2024-12-25 04:40:30 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 9m 53s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Run name:Run with higher sleep bypass
        Number of analysed new started processes analysed:108
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe
        renamed because original name is a hash value
        Original Sample Name:_1.1.2.exe
        Detection:MAL
        Classification:mal92.evad.winEXE@135/31@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 74%
        • Number of executed functions: 27
        • Number of non-executed functions: 112
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
        • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
        • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
          #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b2.0.6.exeGet hashmaliciousUnknownBrowse

                          Created / dropped Files

                          C:\Program Files (x86)\Windows NT\7zr.exe

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):831200
                          Entropy (8bit):6.671005303304742
                          Encrypted:false
                          SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                          MD5:84DC4B92D860E8AEA55D12B1E87EA108
                          SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                          SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                          SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Joe Sandbox View:
                          • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.6.exe, Detection: malicious, Browse
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\file.dat (copy)

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):2816881
                          Entropy (8bit):7.999933043989355
                          Encrypted:true
                          SSDEEP:49152:ZBrHFbLMoMCEikwqNJq19boUCFCLzBAZJROkR+8nWn80/E7mWF1U/I9:ZpHF8AEi9UUCOBCROoNn08087momq
                          MD5:30DAC62C861E3FE4F2E8AD658111B19D
                          SHA1:C9146F70AB0EB27E51D3DBDF903CBAAEDF8C98FF
                          SHA-256:72F3161CF0EA21DA1C58A372B113F4C1B4685B1707B035FA0BFC46491864942A
                          SHA-512:69F680EB3A130DC4C1F377F20A484EFB526DD4A9AAD7FE1CB82AD80AEBB86E2B4F1E8259FF35A3D87C93B504C888F96030853033A88522B497344813CCA7F7C8
                          Malicious:false
                          Preview:.@S.......i........................C.-.v......t.{.9.....D ....3.'*...R......)@........^.edA^..0.Zh.......@_a>O..?'.............?.H.,...].Q.8.-..[...u..l.....F..E..*.S.Z;.....Z0.w...A..z*_..... .g..u.g..1.Ku...r.5..OL.H".Hx...G...\..6.,.`..HB.?.v..H. ..\N.....ix..Q.......n.RB......u.3\=hp......^vQ...o;..sm.T...u.....eNd.N...`W(c(>....m.._.O..v..!H....P.J......kO.U.kv.4.......v.i...........g...r.....fu....Q..'..x.)f.).{......bPm.W.........9x....E.!...'......."....;8......f$.$,....)'.....vZ.mc....N..%z...B.;.......|v.{..H......B^..'..'.<.rD..........Bl.S.K..\.......4.'...0.\....~......>>_.._*J.V...].... ...N4.U.+..........\|.?.....q......](.n/.*xV.+<......}].E8..._...ZXr.Yy.. ?..Ur....G.=.<.%....SO..i5S.........s......X.....LY.M.....H...D`.....(F...`..7...A7...WB*.....~...1.8.RI.k"+..o1.1/\\J3....NZ?T. .]..C?[W]...6.w@.u........}...0$Y....`8<.8.u=..{...[.M)..~.\..3...X....\pmh.....K...J...EZx;`.*...j..(.<..\.g2.....a..<....j|.V.........r....

                          C:\Program Files (x86)\Windows NT\hrsw.vbc

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3621376
                          Entropy (8bit):7.006090025798393
                          Encrypted:false
                          SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                          MD5:FCADEAE28FCC52FD286350DFEECD82E5
                          SHA1:48290AA098DEDE53C457FC774063C3198754A161
                          SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                          SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 26%
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\is-FLD24.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):2816881
                          Entropy (8bit):7.999933043989355
                          Encrypted:true
                          SSDEEP:49152:ZBrHFbLMoMCEikwqNJq19boUCFCLzBAZJROkR+8nWn80/E7mWF1U/I9:ZpHF8AEi9UUCOBCROoNn08087momq
                          MD5:30DAC62C861E3FE4F2E8AD658111B19D
                          SHA1:C9146F70AB0EB27E51D3DBDF903CBAAEDF8C98FF
                          SHA-256:72F3161CF0EA21DA1C58A372B113F4C1B4685B1707B035FA0BFC46491864942A
                          SHA-512:69F680EB3A130DC4C1F377F20A484EFB526DD4A9AAD7FE1CB82AD80AEBB86E2B4F1E8259FF35A3D87C93B504C888F96030853033A88522B497344813CCA7F7C8
                          Malicious:false
                          Preview:.@S.......i........................C.-.v......t.{.9.....D ....3.'*...R......)@........^.edA^..0.Zh.......@_a>O..?'.............?.H.,...].Q.8.-..[...u..l.....F..E..*.S.Z;.....Z0.w...A..z*_..... .g..u.g..1.Ku...r.5..OL.H".Hx...G...\..6.,.`..HB.?.v..H. ..\N.....ix..Q.......n.RB......u.3\=hp......^vQ...o;..sm.T...u.....eNd.N...`W(c(>....m.._.O..v..!H....P.J......kO.U.kv.4.......v.i...........g...r.....fu....Q..'..x.)f.).{......bPm.W.........9x....E.!...'......."....;8......f$.$,....)'.....vZ.mc....N..%z...B.;.......|v.{..H......B^..'..'.<.rD..........Bl.S.K..\.......4.'...0.\....~......>>_.._*J.V...].... ...N4.U.+..........\|.?.....q......](.n/.*xV.+<......}].E8..._...ZXr.Yy.. ?..Ur....G.=.<.%....SO..i5S.........s......X.....LY.M.....H...D`.....(F...`..7...A7...WB*.....~...1.8.RI.k"+..o1.1/\\J3....NZ?T. .]..C?[W]...6.w@.u........}...0$Y....`8<.8.u=..{...[.M)..~.\..3...X....\pmh.....K...J...EZx;`.*...j..(.<..\.g2.....a..<....j|.V.........r....

                          C:\Program Files (x86)\Windows NT\locale.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):56514
                          Entropy (8bit):7.996192844152609
                          Encrypted:true
                          SSDEEP:1536:Af2p56rS/DpbGo5YM8KCF9wnVHalZQkMiHzN:Af2pD/Dpd5YMWq5aYWHzN
                          MD5:76A87B3550627ACE10DF48ECD5537029
                          SHA1:D34842F146058E6D12FDCB41296819B0A10FB153
                          SHA-256:581D714F4E7545712390695EEFFED03F87F765AE4DCA475B0312287309BF649E
                          SHA-512:D57B6ABA9EB143E079BECED4D4EBD941E3961E1A8279DF17C39CE816242030821F9BAAF0C30988D5C7EEE27ABED4EE588089B65EAA828CCEBAFD5C83F1D992C0
                          Malicious:false
                          Preview:.@S.....^.. ...............3...O..h%....x....2.4.C.WZ..w.W...#.......J..d.6....\.. ..xkG.k......~..<~.........q(......8..o...0f..k..\....m....u..=.4.:....j..P.....%c..rQq../"..t..i.3.`..i..z...P.b..bc.IO...*$*+.D.O7.cH.pi=Thi.Sg..?D..;..{.L..C.d......C.t)Z.r-.p7.=v...b...@<F;..X.jv...6....8.-.......#,~y.\.......#j..-:...Uo..3".ri.U...9+...5...8~p..}......~[........._..2W.?.)M.O.O3.-Y0c.E.[...._]..._*A.......E...~..z..ke.-.N..-.....4.i.SH.%ac..#.S.......e..\3..z.,...CC...u.J1...{..2.T8...l......9S6.b.zL,Y..>.S...*..._..k...x..{..P...n_..LeP.... .|.#.D.PK.7.),2...z.W6..eu.....V...v...s.>O.>r7.~..9b..........W..Z..:...|.C.....F.............Gk^...x1..3S].f.CS.(.%X....V.3....)..............\s...)k..S.b>.m..BH..QZ.F.4M...2k.....D..<.E ..uc4.$....('.......].~......+...C.IKs5...h...W.4......M9../r..X|}.....@..}..a9.........VJ....H.....H|.G.<...2...?...~._Fl.:.....,.34..f..N.:.n...L..."..u..C0...D..X...9X.3..|.v.T.......'..bu.l...l.

                          C:\Program Files (x86)\Windows NT\locale.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):56514
                          Entropy (8bit):7.996192844152606
                          Encrypted:true
                          SSDEEP:768:BRzzwFFBJ/XghYQ6peMARgkAAgne1ttjDz7bfzRTBozKyYP2oBXa6g:BRqaYQyapAA71ttjD7zpJvXi
                          MD5:F3DAC8AF8FA59C160B8B538FAF3F0A8F
                          SHA1:D85BC8165C09EB7B64359CB6615D32CBB4F6142A
                          SHA-256:591885182DD1E3348C8228BE438AADF9C62611F52AB5E7D267AB556E5533D852
                          SHA-512:8FFECB53FF972F1854F62E4CD75E9683BEAE1FF9931E6047DE2A2A25C13CF3D72BF6EA89B21E0C27EBBE3C4AF91A64ACB7D8C33E88398B079A5FF089D092D535
                          Malicious:false
                          Preview:7z..'.../.8hp.......2.........O.W.E#..OHQx.0O.I.8.+[.... a.N......#..UH...D....t.5..O.:G[...c.!.W.f....#R..!..]$h.QK^c....AS^qr.N..\~...~.u...F.R.t.O....i.p...[...>;.%.V..[..\(....\.......u...+...+.2.SP0.B........S="......n..#z.........L...QF.[...9E.w.A...zp.X.<.%..}...........!J`.....e7.6..!Mv-.h....q..9..8^TD.....Pk"<.A/ng..V..t.;..GL..G..+.QE...xa..wU<..HX.$..=Sq..Sq...#i-...X$r.~........T..k...\}.....1....G..."9..nY..89.q5..M.U..A..y.'..q.{..s....u...8.vG..d........aF..~..|..v.C.R}....D..$&R+!8C...?.... ..C..T.7.A...+.'...kV.z.._./..ig...E.^..>...W.9i....B.......D...R..S2Q....-=.l+,[.O.X..:E...F.ha1.?..+/._..t...9..Y.....L.)6".Uyd.....K....}6..X%.......x.]...b..s...I.RH...H.+d.R.....i.l,V....{.2k.....H..,..........H...hpEU>d._A.E..l"...t...?Q8..!*_.>.5.....*b.j...C.^$......o~S..r.K...QEEO/..\z.]e....$;&O...8f..G6....S).s.k..>.D&Z...._...(O...D./.3...3.......$..{.WhF.A...<.?......v...57._..H%.........T.a.M.k......k.0.f.r..F.u.... B<K.-S

                          C:\Program Files (x86)\Windows NT\locale2.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996966859255975
                          Encrypted:true
                          SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                          MD5:CEA69F993E1CE0FB945A98BF37A66546
                          SHA1:7114365265F041DA904574D1F5876544506F89BA
                          SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                          SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                          Malicious:false
                          Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                          C:\Program Files (x86)\Windows NT\locale2.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996966859255979
                          Encrypted:true
                          SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                          MD5:4CB8B7E557C80FC7B014133AB834A042
                          SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                          SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                          SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                          Malicious:false
                          Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                          C:\Program Files (x86)\Windows NT\locale3.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):31890
                          Entropy (8bit):7.99402458740637
                          Encrypted:true
                          SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                          MD5:8622FC7228777F64A47BD6C61478ADD9
                          SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                          SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                          SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                          Malicious:false
                          Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                          C:\Program Files (x86)\Windows NT\locale3.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):31890
                          Entropy (8bit):7.99402458740637
                          Encrypted:true
                          SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                          MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                          SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                          SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                          SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                          Malicious:false
                          Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                          C:\Program Files (x86)\Windows NT\locale4.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):74960
                          Entropy (8bit):7.99759370165655
                          Encrypted:true
                          SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                          MD5:950338D50B95A25F494EE74E97B7B7A9
                          SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                          SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                          SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                          Malicious:false
                          Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                          C:\Program Files (x86)\Windows NT\locale4.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):74960
                          Entropy (8bit):7.997593701656546
                          Encrypted:true
                          SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                          MD5:059BA7C31F3E227356CA5F29E4AA2508
                          SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                          SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                          SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                          Malicious:false
                          Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                          C:\Program Files (x86)\Windows NT\locale7.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):29730
                          Entropy (8bit):7.994290657653607
                          Encrypted:true
                          SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                          MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                          SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                          SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                          SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                          Malicious:false
                          Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                          C:\Program Files (x86)\Windows NT\locale7.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):29730
                          Entropy (8bit):7.994290657653608
                          Encrypted:true
                          SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                          MD5:A9C8A3E00692F79E1BA9693003F85D18
                          SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                          SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                          SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                          Malicious:false
                          Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                          C:\Program Files (x86)\Windows NT\res.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):2816881
                          Entropy (8bit):7.999933043989351
                          Encrypted:true
                          SSDEEP:49152:yOsCcDPovazTSEONhiY3EB9Zw/rZjzW6LmjZhhBozUrI/KlN7qA1L6sXVq2:yOsnDP9TSEODiY0B9ZwjE79hvoo0/JsP
                          MD5:F1ED3F0D0E4DF9EE652ED629BD74AE2C
                          SHA1:E785AE1A0837E94A1F4E47D3056C0A0575226103
                          SHA-256:B8DD3357EEEE78BE9BBDFD2BEEC42FDDCC49B540702A0E070A488822794D6418
                          SHA-512:8C661532115DC86038EC1DE26D30E79125390F3D4E01FF516239E51EB2776E5FF739C790A6DA113AAD4BCEE72972EA0AC7C016D60FC55AE9A0B1B460624851D2
                          Malicious:false
                          Preview:7z..'.........*.....A.......Ntcz..o..N.2.+.Uc.(b.i.}...g......].a.*..(.D.P..|.....9N!g.C(.*......6[c.&...ns-.S:....8,c..).e9.@.z~f.._...2..-H..:......$.DF..|.."...v.)4d....b.I..Dn.^...H..3.q....AMN..?.j..0....X....g.|.C,.....b..j...B.6.<0.K.$.....a.@..g./_.gI..H/!"D?..N<.D..r$.8..... ........$s3...n....zY...o..A.....X+}........e{b.....qNx*..#.~.9.i.....x<..G.Aq|h....r..\.*..2H.D.c.]}..k..)+..%1.mL.J)..bT...cQ.<s.8.-._.]j.q.....7.Ww..FD..>.\..w..d7.4.w4..d997{".V...y....V..hC.....j.n.......q.......|..U.y.g%I.~.DhaA.....'.Z.~t.gg9.l#...R.i...O.J...(+.B]y\ui......St.@.".V.B..K.Z.P.f.4G.ob..m.E.6..O..3...'.'yAC.Ql......].!..'%}j..gUM:A.......0...-..WP..&j....."m...Q.NG@..d..d..p.K....(8..vh...fZr.j.q...&.O...G7..8...4$}w.w.|.'..1.C.QQ......<g:......i..^o..G.....'^....Jm[...c...Q.~.......y....n.........9,m0...<...9.............b}nx..(.TU7..O.}....T....$sd..c..[.....(."..yl.s...*......\Hw(.d.4P.((R)R....k......0.(a.5......):8...\.^...[."\F..P.....h..v

                          C:\Program Files (x86)\Windows NT\tProtect.dll

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:PE32+ executable (native) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):63640
                          Entropy (8bit):6.482810107683822
                          Encrypted:false
                          SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                          MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                          SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                          SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                          SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 9%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\task.xml

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                          File Type:ASCII text
                          Category:dropped
                          Size (bytes):4096
                          Entropy (8bit):3.3477819334971057
                          Encrypted:false
                          SSDEEP:48:dXKLzDln+L6w0QldOVQOj933ODOiTdKbKsz72eW+5yF:dXazDlnjwhldOVQOj6dKbKsz7
                          MD5:925F146227EB8EB8FED35B78FFB7568D
                          SHA1:7B70D313C0285134724718F231F68F3DEFFB79E9
                          SHA-256:29CC7512B35855C6BC2699717A049E89521621852913893FA98B910273442FAB
                          SHA-512:3C61A6AC158D2C600747490196D70BAE8087C7DB52257EB2A40F0D7F112E2F0EDE249C141C922B66AA811D95FC08441841D91A0E6A287874653664DAC7060F7E
                          Malicious:false
                          Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\turminoob</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetw

                          C:\Program Files (x86)\Windows NT\trash

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):2566738
                          Entropy (8bit):7.99992559503684
                          Encrypted:true
                          SSDEEP:49152:ChxmtjEi7F1WpsGRApsU3euv0sSaXBNRqRNQ87FKbUOsXhiLrGb:ChAYi7FgXeKZuv9SSBNARNZ7FKbUNkab
                          MD5:41B2FD0B3E8F7CF3438131D893FF0157
                          SHA1:8D9B804D3E9AA5E1074921EC85CA2CC9B076E5B8
                          SHA-256:A9C3F6D4CBABE7F6B758EDC7602BC413DB7D0DFC016827E89D6B60A2B5E4F207
                          SHA-512:DEE2D2F7A5ABF9E20E6D9147BE9135968CC186F29A74755F6B690E55B4D91DD65902D7D1691B348E618DE72A31A140D451969CACC69E4ADF5269CD9495872857
                          Malicious:false
                          Preview:.8..i.&;r.....kK)MI...c....W..]....b-.a...9..z...y...~?t..u.*...P;.?.........,r..ks<......+Vva....).\Q..|'......`*c...j#.E.]..^..e..K.;UD...O...:..mM..\H.q6E&........W cb.].......GU..A..-. "....#....g.qa......bu...e..-}...........QWf..2.E.......(.:.......2b}....<.1.P......j.._;.Hz..s,.5...>.X..c..D..`>..h^ ...^.H.."..ec....2....`..$....p....M.t{..f.Z....E....M...HF.@.^.....g.B...?..gyg.5J.....4S.Yp.k.b...:-.(.z...h=.e..(..k..<4.M....Q%.wJ..\..t..gU%M./..#.....l..8/.:.....].b.6...}2...gK\.b<5.....eo%.E....I.q..].0.....]N..@.v....-1B_.p...8...I......d`.7y.S?.K?.+...p..k...E.*..../..n..k.Z[..p.0P.CUH.n....h..&...L...F..ZTV.........~...J......=. .S.....;.<.E..Q..W._.z@y.M.qW)...?....iO...t{..D_8...a....5..v-M.o.K.(`.i...o&.L+.P...A:0'.....c.V......,..LO.5/.....b{U.....!B,.TTt..j.M.`k2...Q.0.|.:.....Ia....f..e....=n....J..v.0.....7...j.o9.....p..5.l..y.=...o./........q....?...J?.4.kJsT#..e.|HM.....P..N............;P../.d.5..I..E./._...m.:..+.T.

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):64
                          Entropy (8bit):1.1628158735648508
                          Encrypted:false
                          SSDEEP:3:Nlllul5mxllp:NllU4x/
                          MD5:3A925CB766CE4286E251C26E90B55CE8
                          SHA1:3FA8EE6E901101A4661723B94D6C9309E281BD28
                          SHA-256:4E844662CDFFAAD50BA6320DC598EBE0A31619439D0F6AB379DF978FE81C7BF8
                          SHA-512:F348B4AFD42C262BBED07D6BDEA6EE4B7F5CFA2E18BFA725225584E93251188D9787506C2AFEAC482B606B1EA0341419F229A69FF1E9100B01DE42025F915788
                          Malicious:false
                          Preview:@...e................................................@..........

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_datuzr1j.dek.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gs141ylx.dd3.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l1upbikj.ye4.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n2cnlcpt.2aq.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp

                          Download File
                          Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3366912
                          Entropy (8bit):6.530562538281642
                          Encrypted:false
                          SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                          MD5:C9B4238B2FFEC70B575E52822B8A8F70
                          SHA1:8B008190A81BD70F937E9ED70756E611A5814A17
                          SHA-256:69872DDA1D5F8A3C9F93646165519F8A97A1CE8E21DAFE680789020C973EC057
                          SHA-512:CA0FE894C953E066827ED0B116600E45C1791C178E65AACF1D1417085C6DBE05528AF230E0DD05B2AA0F35D10C2B4761A267D2A7EBB7B504AA1B7FFFD652CDF3
                          Malicious:true
                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                          C:\Users\user\AppData\Local\Temp\is-IF8V3.tmp\_isetup\_setup64.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                          File Type:PE32+ executable (console) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):6144
                          Entropy (8bit):4.720366600008286
                          Encrypted:false
                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-IF8V3.tmp\update.vbc

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3621376
                          Entropy (8bit):7.006090025798393
                          Encrypted:false
                          SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                          MD5:FCADEAE28FCC52FD286350DFEECD82E5
                          SHA1:48290AA098DEDE53C457FC774063C3198754A161
                          SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                          SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 26%
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-R11LS.tmp\_isetup\_setup64.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                          File Type:PE32+ executable (console) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):6144
                          Entropy (8bit):4.720366600008286
                          Encrypted:false
                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-R11LS.tmp\update.vbc

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3621376
                          Entropy (8bit):7.006090025798393
                          Encrypted:false
                          SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                          MD5:FCADEAE28FCC52FD286350DFEECD82E5
                          SHA1:48290AA098DEDE53C457FC774063C3198754A161
                          SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                          SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 26%
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp

                          Download File
                          Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3366912
                          Entropy (8bit):6.530562538281642
                          Encrypted:false
                          SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                          MD5:C9B4238B2FFEC70B575E52822B8A8F70
                          SHA1:8B008190A81BD70F937E9ED70756E611A5814A17
                          SHA-256:69872DDA1D5F8A3C9F93646165519F8A97A1CE8E21DAFE680789020C973EC057
                          SHA-512:CA0FE894C953E066827ED0B116600E45C1791C178E65AACF1D1417085C6DBE05528AF230E0DD05B2AA0F35D10C2B4761A267D2A7EBB7B504AA1B7FFFD652CDF3
                          Malicious:true
                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                          \Device\ConDrv

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:ASCII text, with CRLF, CR line terminators
                          Category:dropped
                          Size (bytes):406
                          Entropy (8bit):5.117520345541057
                          Encrypted:false
                          SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                          MD5:9200058492BCA8F9D88B4877F842C148
                          SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                          SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                          SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                          Malicious:false
                          Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.962340023354145
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 98.04%
                          • Inno Setup installer (109748/4) 1.08%
                          • InstallShield setup (43055/19) 0.42%
                          • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                          File name:#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe
                          File size:9'026'305 bytes
                          MD5:8af97a4879574d6e29e4e9fcd3a9bef0
                          SHA1:3c0fcaf35b6f6cb6eb710ccb91c691fa629430ab
                          SHA256:ac7a870316c9f66b5750e39592f97e58a5ae8da0f05951a5f25047b15aa88041
                          SHA512:17c2dd2a92c733040b474549ffaad59ffdc632fa15b0c701742c26f8bfda89b8bd62e91545889e57feec6e951a7bcb886d865a975dd16a4571b61c1e8db4d74d
                          SSDEEP:196608:ljhhOJmKi8b+H7K+ofxIrA12fIkfRZUNNbqlg:ljRKP+HGhxsAUfIQRZkUC
                          TLSH:AD962313F2CBD43EE06A0B3755B2A15484FB6A606427BE468AEC74ACCF365501E3E747
                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                          File Icon

                          Icon Hash:0c0c2d33ceec80aa

                          Static PE Info

                          General

                          Entrypoint:0x4a83bc
                          Entrypoint Section:.itext
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:6
                          OS Version Minor:1
                          File Version Major:6
                          File Version Minor:1
                          Subsystem Version Major:6
                          Subsystem Version Minor:1
                          Import Hash:40ab50289f7ef5fae60801f88d4541fc

                          Entrypoint Preview

                          Instruction
                          push ebp
                          mov ebp, esp
                          add esp, FFFFFFA4h
                          push ebx
                          push esi
                          push edi
                          xor eax, eax
                          mov dword ptr [ebp-3Ch], eax
                          mov dword ptr [ebp-40h], eax
                          mov dword ptr [ebp-5Ch], eax
                          mov dword ptr [ebp-30h], eax
                          mov dword ptr [ebp-38h], eax
                          mov dword ptr [ebp-34h], eax
                          mov dword ptr [ebp-2Ch], eax
                          mov dword ptr [ebp-28h], eax
                          mov dword ptr [ebp-14h], eax
                          mov eax, 004A2EBCh
                          call 00007F2B1C5F9FE5h
                          xor eax, eax
                          push ebp
                          push 004A8AC1h
                          push dword ptr fs:[eax]
                          mov dword ptr fs:[eax], esp
                          xor edx, edx
                          push ebp
                          push 004A8A7Bh
                          push dword ptr fs:[edx]
                          mov dword ptr fs:[edx], esp
                          mov eax, dword ptr [004B0634h]
                          call 00007F2B1C68B96Bh
                          call 00007F2B1C68B4BEh
                          lea edx, dword ptr [ebp-14h]
                          xor eax, eax
                          call 00007F2B1C686198h
                          mov edx, dword ptr [ebp-14h]
                          mov eax, 004B41F4h
                          call 00007F2B1C5F4093h
                          push 00000002h
                          push 00000000h
                          push 00000001h
                          mov ecx, dword ptr [004B41F4h]
                          mov dl, 01h
                          mov eax, dword ptr [0049CD14h]
                          call 00007F2B1C6874C3h
                          mov dword ptr [004B41F8h], eax
                          xor edx, edx
                          push ebp
                          push 004A8A27h
                          push dword ptr fs:[edx]
                          mov dword ptr fs:[edx], esp
                          call 00007F2B1C68B9F3h
                          mov dword ptr [004B4200h], eax
                          mov eax, dword ptr [004B4200h]
                          cmp dword ptr [eax+0Ch], 01h
                          jne 00007F2B1C6926DAh
                          mov eax, dword ptr [004B4200h]
                          mov edx, 00000028h
                          call 00007F2B1C687DB8h
                          mov edx, dword ptr [004B4200h]

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          .rsrc0xcb0000x110000x11000bd2e661569cc3ed9cbb634151f4f1236False0.18764361213235295data3.7223784289670983IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                          RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                          RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                          RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                          RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                          RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                          RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                          RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                          RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                          RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                          RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                          RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                          RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                          RT_STRING0xd8e000x3f8data0.3198818897637795
                          RT_STRING0xd91f80x2dcdata0.36475409836065575
                          RT_STRING0xd94d40x430data0.40578358208955223
                          RT_STRING0xd99040x44cdata0.38636363636363635
                          RT_STRING0xd9d500x2d4data0.39226519337016574
                          RT_STRING0xda0240xb8data0.6467391304347826
                          RT_STRING0xda0dc0x9cdata0.6410256410256411
                          RT_STRING0xda1780x374data0.4230769230769231
                          RT_STRING0xda4ec0x398data0.3358695652173913
                          RT_STRING0xda8840x368data0.3795871559633027
                          RT_STRING0xdabec0x2a4data0.4275147928994083
                          RT_RCDATA0xdae900x10data1.5
                          RT_RCDATA0xdaea00x310data0.6173469387755102
                          RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                          RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                          RT_VERSION0xdb2980x584dataEnglishUnited States0.2776203966005666
                          RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                          Imports

                          DLLImport
                          kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                          comctl32.dllInitCommonControls
                          user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                          oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                          advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                          Exports

                          NameOrdinalAddress
                          __dbk_fcall_wrapper20x40fc10
                          dbkFCallWrapperAddr10x4b063c

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States

                          Network Behavior

                          No network behavior found

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:22:41:20
                          Start date:24/12/2024
                          Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe"
                          Imagebase:0x180000
                          File size:9'026'305 bytes
                          MD5 hash:8AF97A4879574D6E29E4E9FCD3A9BEF0
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:2
                          Start time:22:41:21
                          Start date:24/12/2024
                          Path:C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\Temp\is-BJCQN.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp" /SL5="$203FE,8071911,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe"
                          Imagebase:0x4a0000
                          File size:3'366'912 bytes
                          MD5 hash:C9B4238B2FFEC70B575E52822B8A8F70
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:3
                          Start time:22:41:21
                          Start date:24/12/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                          Imagebase:0x7ff6e3d50000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:22:41:21
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:22:41:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                          Imagebase:0x7ff717f30000
                          File size:496'640 bytes
                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                          Has elevated privileges:true
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:6
                          Start time:22:41:29
                          Start date:24/12/2024
                          Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" /VERYSILENT
                          Imagebase:0x180000
                          File size:9'026'305 bytes
                          MD5 hash:8AF97A4879574D6E29E4E9FCD3A9BEF0
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:7
                          Start time:22:41:30
                          Start date:24/12/2024
                          Path:C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\Temp\is-T49VH.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.tmp" /SL5="$3041A,8071911,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe" /VERYSILENT
                          Imagebase:0x3f0000
                          File size:3'366'912 bytes
                          MD5 hash:C9B4238B2FFEC70B575E52822B8A8F70
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:8
                          Start time:22:41:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:9
                          Start time:22:41:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:10
                          Start time:22:41:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:11
                          Start time:22:41:32
                          Start date:24/12/2024
                          Path:C:\Program Files (x86)\Windows NT\7zr.exe
                          Wow64 process (32bit):true
                          Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                          Imagebase:0x150000
                          File size:831'200 bytes
                          MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Antivirus matches:
                          • Detection: 0%, ReversingLabs
                          Has exited:true

                          General

                          Target ID:12
                          Start time:22:41:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:13
                          Start time:22:41:33
                          Start date:24/12/2024
                          Path:C:\Program Files (x86)\Windows NT\7zr.exe
                          Wow64 process (32bit):true
                          Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                          Imagebase:0x150000
                          File size:831'200 bytes
                          MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:14
                          Start time:22:41:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:15
                          Start time:22:41:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:16
                          Start time:22:41:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:17
                          Start time:22:41:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:18
                          Start time:22:41:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:19
                          Start time:22:41:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:20
                          Start time:22:41:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:21
                          Start time:22:41:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:22
                          Start time:22:41:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:23
                          Start time:22:41:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:24
                          Start time:22:41:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:25
                          Start time:22:41:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:26
                          Start time:22:41:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:27
                          Start time:22:41:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:28
                          Start time:22:41:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:29
                          Start time:22:41:33
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:30
                          Start time:22:41:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:31
                          Start time:22:41:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:32
                          Start time:22:41:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:33
                          Start time:22:41:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:34
                          Start time:22:41:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:35
                          Start time:22:41:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:36
                          Start time:22:41:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:37
                          Start time:22:41:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:38
                          Start time:22:41:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:39
                          Start time:22:41:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:40
                          Start time:22:41:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:41
                          Start time:22:41:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:42
                          Start time:22:41:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:43
                          Start time:22:41:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:44
                          Start time:22:41:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:45
                          Start time:22:41:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:46
                          Start time:22:41:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:47
                          Start time:22:41:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:48
                          Start time:22:41:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:49
                          Start time:22:41:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:50
                          Start time:22:41:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:51
                          Start time:22:41:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:52
                          Start time:22:41:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:53
                          Start time:22:41:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:54
                          Start time:22:41:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:55
                          Start time:22:41:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:56
                          Start time:22:41:35
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:57
                          Start time:22:41:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:59
                          Start time:22:41:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:60
                          Start time:22:41:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7403e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:61
                          Start time:22:41:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:62
                          Start time:22:41:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:63
                          Start time:22:41:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:64
                          Start time:22:41:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:65
                          Start time:22:41:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:66
                          Start time:22:41:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:67
                          Start time:22:41:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:68
                          Start time:22:41:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:69
                          Start time:22:41:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:70
                          Start time:22:41:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:71
                          Start time:22:41:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:72
                          Start time:22:41:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:73
                          Start time:22:41:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:74
                          Start time:22:41:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:75
                          Start time:22:41:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:76
                          Start time:22:41:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:77
                          Start time:22:41:37
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:78
                          Start time:22:41:37
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:79
                          Start time:22:41:37
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:80
                          Start time:22:41:37
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:81
                          Start time:22:41:37
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:82
                          Start time:22:41:37
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:83
                          Start time:22:41:37
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:84
                          Start time:22:41:37
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:85
                          Start time:22:41:37
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:86
                          Start time:22:41:37
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:87
                          Start time:22:41:37
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:88
                          Start time:22:41:37
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:89
                          Start time:22:41:37
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:90
                          Start time:22:41:37
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:91
                          Start time:22:41:37
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:92
                          Start time:22:41:37
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:93
                          Start time:22:41:37
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:94
                          Start time:22:41:37
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:95
                          Start time:22:41:37
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:96
                          Start time:22:41:37
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:97
                          Start time:22:41:38
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:98
                          Start time:22:41:38
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:99
                          Start time:22:41:38
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:100
                          Start time:22:41:38
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:101
                          Start time:22:41:38
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:102
                          Start time:22:41:38
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:103
                          Start time:22:41:38
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:104
                          Start time:22:41:38
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff73f180000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:105
                          Start time:22:41:38
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:106
                          Start time:22:41:38
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff6d5fb0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:266
                          Start time:22:41:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\Conhost.exe
                          Wow64 process (32bit):
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:
                          Has administrator privileges:
                          Programmed in:C, C++ or other language
                          Has exited:false

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:1.2%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:5.2%
                            Total number of Nodes:728
                            Total number of Limit Nodes:8
                            execution_graph 97488 6c3101c3 97489 6c3101d5 __dosmaperr 97488->97489 97490 6c3101ed 97488->97490 97490->97489 97491 6c310267 97490->97491 97493 6c310238 __dosmaperr 97490->97493 97494 6c310280 97491->97494 97495 6c3102d7 __wsopen_s 97491->97495 97496 6c31029b __dosmaperr 97491->97496 97535 6c303810 18 API calls __cftoe 97493->97535 97494->97496 97515 6c310285 97494->97515 97529 6c307eab HeapFree GetLastError _free 97495->97529 97528 6c303810 18 API calls __cftoe 97496->97528 97499 6c31042e 97502 6c3104a4 97499->97502 97505 6c310447 GetConsoleMode 97499->97505 97500 6c3102f7 97530 6c307eab HeapFree GetLastError _free 97500->97530 97504 6c3104a8 ReadFile 97502->97504 97507 6c3104c2 97504->97507 97508 6c31051c GetLastError 97504->97508 97505->97502 97509 6c310458 97505->97509 97506 6c3102fe 97519 6c3102b2 __dosmaperr __wsopen_s 97506->97519 97531 6c30e359 20 API calls __wsopen_s 97506->97531 97507->97508 97510 6c310499 97507->97510 97508->97519 97509->97504 97511 6c31045e ReadConsoleW 97509->97511 97516 6c3104e7 97510->97516 97517 6c3104fe 97510->97517 97510->97519 97511->97510 97514 6c31047a GetLastError 97511->97514 97514->97519 97523 6c3150d5 97515->97523 97533 6c3105ee 23 API calls 3 library calls 97516->97533 97518 6c310515 97517->97518 97517->97519 97534 6c3108a6 21 API calls __wsopen_s 97518->97534 97532 6c307eab HeapFree GetLastError _free 97519->97532 97522 6c31051a 97522->97519 97524 6c3150e2 97523->97524 97525 6c3150ef 97523->97525 97524->97499 97526 6c3150fb 97525->97526 97536 6c303810 18 API calls __cftoe 97525->97536 97526->97499 97528->97519 97529->97500 97530->97506 97531->97515 97532->97489 97533->97519 97534->97522 97535->97489 97536->97524 97537 6c174b53 97695 6c2fa133 97537->97695 97539 6c174b5c _Yarn 97709 6c2ee090 97539->97709 97541 6c19639e 97802 6c303820 18 API calls 2 library calls 97541->97802 97543 6c175164 CreateFileA CloseHandle 97549 6c1751ec 97543->97549 97544 6c174cff 97545 6c174bae std::ios_base::_Ios_base_dtor 97545->97541 97545->97543 97545->97544 97546 6c18245a _Yarn _strlen 97545->97546 97546->97541 97547 6c2ee090 2 API calls 97546->97547 97563 6c182a83 std::ios_base::_Ios_base_dtor 97547->97563 97715 6c2f8810 OpenSCManagerA 97549->97715 97551 6c17fc00 97794 6c2f8930 CreateToolhelp32Snapshot 97551->97794 97554 6c2fa133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 97590 6c175478 std::ios_base::_Ios_base_dtor _Yarn _strlen 97554->97590 97556 6c1837d0 Sleep 97601 6c1837e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 97556->97601 97557 6c2ee090 2 API calls 97557->97590 97558 6c1963b2 97803 6c1715e0 18 API calls std::ios_base::_Ios_base_dtor 97558->97803 97559 6c2f8930 4 API calls 97576 6c18053a 97559->97576 97561 6c2f8930 4 API calls 97586 6c1812e2 97561->97586 97562 6c1964f8 97563->97541 97719 6c2e0880 97563->97719 97564 6c17ffe3 97564->97559 97568 6c180abc 97564->97568 97565 6c196ba0 104 API calls 97565->97590 97566 6c196e60 32 API calls 97566->97590 97568->97546 97568->97561 97570 6c2f8930 4 API calls 97570->97568 97571 6c18211c 97571->97546 97574 6c18241a 97571->97574 97572 6c2f8930 4 API calls 97592 6c181dd9 97572->97592 97577 6c2e0880 10 API calls 97574->97577 97575 6c2ee090 2 API calls 97575->97601 97576->97568 97576->97570 97579 6c18244d 97577->97579 97578 6c176722 97770 6c2f4860 25 API calls 4 library calls 97578->97770 97800 6c2f9450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 97579->97800 97581 6c182452 Sleep 97581->97546 97582 6c1816ac 97583 6c176162 97584 6c17740b 97771 6c2f86e0 CreateProcessA 97584->97771 97586->97571 97586->97572 97586->97582 97587 6c2f8930 4 API calls 97587->97571 97590->97541 97590->97551 97590->97554 97590->97557 97590->97565 97590->97566 97590->97578 97590->97583 97756 6c197090 97590->97756 97769 6c1be010 67 API calls 97590->97769 97591 6c197090 77 API calls 97591->97601 97592->97571 97592->97587 97594 6c17775a _strlen 97594->97541 97595 6c177b92 97594->97595 97596 6c177ba9 97594->97596 97599 6c177b43 _Yarn 97594->97599 97597 6c2fa133 std::_Facet_Register 4 API calls 97595->97597 97598 6c2fa133 std::_Facet_Register 4 API calls 97596->97598 97597->97599 97598->97599 97600 6c2ee090 2 API calls 97599->97600 97610 6c177be7 std::ios_base::_Ios_base_dtor 97600->97610 97601->97541 97601->97575 97601->97591 97727 6c196ba0 97601->97727 97746 6c196e60 97601->97746 97801 6c1be010 67 API calls 97601->97801 97602 6c2f86e0 4 API calls 97613 6c178a07 97602->97613 97603 6c179d7f 97606 6c2fa133 std::_Facet_Register 4 API calls 97603->97606 97604 6c179d68 97605 6c2fa133 std::_Facet_Register 4 API calls 97604->97605 97607 6c179d18 _Yarn 97605->97607 97606->97607 97608 6c2ee090 2 API calls 97607->97608 97618 6c179dbd std::ios_base::_Ios_base_dtor 97608->97618 97609 6c17962c _strlen 97609->97541 97609->97603 97609->97604 97609->97607 97610->97541 97610->97602 97610->97609 97611 6c178387 97610->97611 97612 6c2f86e0 4 API calls 97623 6c179120 97612->97623 97613->97612 97614 6c2f86e0 4 API calls 97631 6c17a215 _strlen 97614->97631 97615 6c2f86e0 4 API calls 97617 6c179624 97615->97617 97616 6c2fa133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 97625 6c17e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 97616->97625 97775 6c2f9450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 97617->97775 97618->97541 97618->97614 97618->97625 97620 6c2ee090 2 API calls 97620->97625 97621 6c17ed02 Sleep 97643 6c17e8c1 97621->97643 97622 6c17f7b1 97793 6c2f9450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 97622->97793 97623->97615 97625->97541 97625->97616 97625->97620 97625->97621 97625->97622 97626 6c17e8dd GetCurrentProcess TerminateProcess 97626->97625 97627 6c17a9a4 97629 6c2fa133 std::_Facet_Register 4 API calls 97627->97629 97628 6c17a9bb 97630 6c2fa133 std::_Facet_Register 4 API calls 97628->97630 97638 6c17a953 _Yarn _strlen 97629->97638 97630->97638 97631->97541 97631->97627 97631->97628 97631->97638 97632 6c2f86e0 4 API calls 97632->97643 97633 6c17fbb8 97634 6c17fbe8 ExitWindowsEx Sleep 97633->97634 97634->97551 97635 6c17f7c0 97635->97633 97636 6c17aff0 97639 6c2fa133 std::_Facet_Register 4 API calls 97636->97639 97637 6c17b009 97640 6c2fa133 std::_Facet_Register 4 API calls 97637->97640 97638->97558 97638->97636 97638->97637 97641 6c17afa0 _Yarn 97638->97641 97639->97641 97640->97641 97776 6c2f9050 97641->97776 97643->97625 97643->97626 97643->97632 97644 6c17b443 97648 6c2fa133 std::_Facet_Register 4 API calls 97644->97648 97645 6c17b42c 97647 6c2fa133 std::_Facet_Register 4 API calls 97645->97647 97646 6c17b059 std::ios_base::_Ios_base_dtor _strlen 97646->97541 97646->97644 97646->97645 97649 6c17b3da _Yarn _strlen 97646->97649 97647->97649 97648->97649 97649->97558 97650 6c17b7b7 97649->97650 97651 6c17b79e 97649->97651 97654 6c17b751 _Yarn 97649->97654 97653 6c2fa133 std::_Facet_Register 4 API calls 97650->97653 97652 6c2fa133 std::_Facet_Register 4 API calls 97651->97652 97652->97654 97653->97654 97655 6c2f9050 104 API calls 97654->97655 97656 6c17b804 std::ios_base::_Ios_base_dtor _strlen 97655->97656 97656->97541 97657 6c17bc26 97656->97657 97658 6c17bc0f 97656->97658 97661 6c17bbbd _Yarn _strlen 97656->97661 97660 6c2fa133 std::_Facet_Register 4 API calls 97657->97660 97659 6c2fa133 std::_Facet_Register 4 API calls 97658->97659 97659->97661 97660->97661 97661->97558 97662 6c17c075 97661->97662 97663 6c17c08e 97661->97663 97666 6c17c028 _Yarn 97661->97666 97664 6c2fa133 std::_Facet_Register 4 API calls 97662->97664 97665 6c2fa133 std::_Facet_Register 4 API calls 97663->97665 97664->97666 97665->97666 97667 6c2f9050 104 API calls 97666->97667 97672 6c17c0db std::ios_base::_Ios_base_dtor _strlen 97667->97672 97668 6c17c7a5 97670 6c2fa133 std::_Facet_Register 4 API calls 97668->97670 97669 6c17c7bc 97671 6c2fa133 std::_Facet_Register 4 API calls 97669->97671 97679 6c17c753 _Yarn _strlen 97670->97679 97671->97679 97672->97541 97672->97668 97672->97669 97672->97679 97673 6c17d406 97676 6c2fa133 std::_Facet_Register 4 API calls 97673->97676 97674 6c17d3ed 97675 6c2fa133 std::_Facet_Register 4 API calls 97674->97675 97677 6c17d39a _Yarn 97675->97677 97676->97677 97678 6c2f9050 104 API calls 97677->97678 97680 6c17d458 std::ios_base::_Ios_base_dtor _strlen 97678->97680 97679->97558 97679->97673 97679->97674 97679->97677 97685 6c17cb2f 97679->97685 97680->97541 97681 6c17d8a4 97680->97681 97682 6c17d8bb 97680->97682 97686 6c17d852 _Yarn _strlen 97680->97686 97683 6c2fa133 std::_Facet_Register 4 API calls 97681->97683 97684 6c2fa133 std::_Facet_Register 4 API calls 97682->97684 97683->97686 97684->97686 97686->97558 97687 6c17dcb6 97686->97687 97688 6c17dccf 97686->97688 97691 6c17dc69 _Yarn 97686->97691 97689 6c2fa133 std::_Facet_Register 4 API calls 97687->97689 97690 6c2fa133 std::_Facet_Register 4 API calls 97688->97690 97689->97691 97690->97691 97692 6c2f9050 104 API calls 97691->97692 97694 6c17dd1c std::ios_base::_Ios_base_dtor 97692->97694 97693 6c2f86e0 4 API calls 97693->97625 97694->97541 97694->97693 97696 6c2fa138 97695->97696 97697 6c2fa152 97696->97697 97700 6c2fa154 std::_Facet_Register 97696->97700 97804 6c302704 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 97696->97804 97697->97539 97699 6c2fafb3 std::_Facet_Register 97808 6c2fca69 RaiseException 97699->97808 97700->97699 97805 6c2fca69 RaiseException 97700->97805 97702 6c2fb7ac IsProcessorFeaturePresent 97705 6c2fb7d1 97702->97705 97704 6c2faf73 97806 6c2fca69 RaiseException 97704->97806 97705->97539 97707 6c2faf93 std::invalid_argument::invalid_argument 97807 6c2fca69 RaiseException 97707->97807 97710 6c2ee0a6 FindFirstFileA 97709->97710 97711 6c2ee0a4 97709->97711 97712 6c2ee0e0 97710->97712 97711->97710 97713 6c2ee0e2 FindClose 97712->97713 97714 6c2ee13c 97712->97714 97713->97712 97714->97545 97716 6c2f8846 97715->97716 97717 6c2f88be OpenServiceA 97716->97717 97718 6c2f8922 97716->97718 97717->97716 97718->97590 97720 6c2e0893 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 97719->97720 97721 6c2e4e71 CloseHandle 97720->97721 97722 6c2e3bd1 CloseHandle 97720->97722 97723 6c1837cb 97720->97723 97725 6c2ccea0 WriteFile ReadFile WriteFile WriteFile 97720->97725 97809 6c2cc390 97720->97809 97721->97720 97722->97720 97726 6c2f9450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 97723->97726 97725->97720 97726->97556 97728 6c196bd5 97727->97728 97820 6c1c2020 97728->97820 97730 6c196c68 97731 6c2fa133 std::_Facet_Register 4 API calls 97730->97731 97732 6c196ca0 97731->97732 97837 6c2faa17 97732->97837 97734 6c196cb4 97849 6c1c1d90 97734->97849 97737 6c196d8e 97737->97601 97739 6c196dc8 97857 6c1c26e0 24 API calls 4 library calls 97739->97857 97741 6c196dda 97858 6c2fca69 RaiseException 97741->97858 97743 6c196def 97859 6c1be010 67 API calls 97743->97859 97745 6c196e0f 97745->97601 97747 6c196e9f 97746->97747 97750 6c196eb3 97747->97750 98250 6c1c3560 32 API calls std::_Xinvalid_argument 97747->98250 97752 6c196f5b 97750->97752 98252 6c1c2250 30 API calls 97750->98252 98253 6c1c26e0 24 API calls 4 library calls 97750->98253 98254 6c2fca69 RaiseException 97750->98254 97755 6c196f6e 97752->97755 98251 6c1c37e0 32 API calls std::_Xinvalid_argument 97752->98251 97755->97601 97757 6c19709e 97756->97757 97763 6c1970d1 97756->97763 98255 6c1c01f0 97757->98255 97758 6c197183 97758->97590 97762 6c304208 67 API calls 97762->97763 97763->97758 98259 6c1c2250 30 API calls 97763->98259 97764 6c1971ae 98260 6c1c2340 24 API calls 97764->98260 97766 6c1971be 98261 6c2fca69 RaiseException 97766->98261 97768 6c1971c9 97769->97590 97770->97584 97773 6c2f8770 97771->97773 97772 6c2f87b0 WaitForSingleObject CloseHandle CloseHandle 97772->97773 97773->97772 97774 6c2f87a4 97773->97774 97774->97594 97775->97609 97777 6c2f90a7 97776->97777 98307 6c2f96e0 97777->98307 97779 6c2f90b8 97780 6c196ba0 104 API calls 97779->97780 97785 6c2f90dc 97780->97785 97782 6c2f918f std::ios_base::_Ios_base_dtor 98360 6c1be010 67 API calls 97782->98360 97786 6c2f9144 97785->97786 97792 6c2f9157 97785->97792 98326 6c2f9a30 97785->98326 98334 6c1d3010 97785->98334 98344 6c2f9280 97786->98344 97787 6c2f91d2 std::ios_base::_Ios_base_dtor 97787->97646 97790 6c2f914c 97791 6c197090 77 API calls 97790->97791 97791->97792 98359 6c1be010 67 API calls 97792->98359 97793->97635 97798 6c2f8966 std::locale::_Setgloballocale 97794->97798 97795 6c2f8a64 Process32NextW 97795->97798 97796 6c2f8a14 CloseHandle 97796->97798 97797 6c2f8a96 97797->97564 97798->97795 97798->97796 97798->97797 97799 6c2f8a45 Process32FirstW 97798->97799 97799->97798 97800->97581 97801->97601 97803->97562 97804->97696 97805->97704 97806->97707 97807->97699 97808->97702 97810 6c2cc3a3 _Yarn __wsopen_s std::locale::_Setgloballocale 97809->97810 97811 6c2cce3c 97810->97811 97812 6c2ccab9 CreateFileA 97810->97812 97814 6c2cb4d0 97810->97814 97811->97720 97812->97810 97815 6c2cb4e3 __wsopen_s std::locale::_Setgloballocale 97814->97815 97816 6c2cc206 WriteFile 97815->97816 97817 6c2cb619 WriteFile 97815->97817 97818 6c2cc377 97815->97818 97819 6c2cbc23 ReadFile 97815->97819 97816->97815 97817->97815 97818->97810 97819->97815 97821 6c2fa133 std::_Facet_Register 4 API calls 97820->97821 97822 6c1c207e 97821->97822 97823 6c2faa17 43 API calls 97822->97823 97824 6c1c2092 97823->97824 97860 6c1c2f60 42 API calls 4 library calls 97824->97860 97826 6c1c210d 97829 6c1c2120 97826->97829 97861 6c2fa67e 9 API calls 2 library calls 97826->97861 97827 6c1c20c8 97827->97826 97828 6c1c2136 97827->97828 97862 6c1c2250 30 API calls 97828->97862 97829->97730 97832 6c1c215b 97863 6c1c2340 24 API calls 97832->97863 97834 6c1c2171 97864 6c2fca69 RaiseException 97834->97864 97836 6c1c217c 97836->97730 97838 6c2faa23 __EH_prolog3 97837->97838 97865 6c2fa5a5 97838->97865 97843 6c2faa41 97879 6c2faaaa 39 API calls std::locale::_Setgloballocale 97843->97879 97844 6c2faa9c 97844->97734 97846 6c2faa49 97880 6c2fa8a1 HeapFree GetLastError _Yarn 97846->97880 97848 6c2faa5f 97871 6c2fa5d6 97848->97871 97850 6c1c1ddc 97849->97850 97851 6c196d5d 97849->97851 97885 6c2fab37 97850->97885 97851->97737 97856 6c1c2250 30 API calls 97851->97856 97855 6c1c1e82 97856->97739 97857->97741 97858->97743 97859->97745 97860->97827 97861->97829 97862->97832 97863->97834 97864->97836 97866 6c2fa5b4 97865->97866 97869 6c2fa5bb 97865->97869 97881 6c303abd 6 API calls std::_Lockit::_Lockit 97866->97881 97868 6c2fa5b9 97868->97848 97878 6c2fa920 6 API calls 2 library calls 97868->97878 97869->97868 97882 6c2fbc7b EnterCriticalSection 97869->97882 97872 6c303acb 97871->97872 97873 6c2fa5e0 97871->97873 97884 6c303aa6 LeaveCriticalSection 97872->97884 97874 6c2fa5f3 97873->97874 97883 6c2fbc89 LeaveCriticalSection 97873->97883 97874->97844 97877 6c303ad2 97877->97844 97878->97843 97879->97846 97880->97848 97881->97868 97882->97868 97883->97874 97884->97877 97886 6c2fab40 97885->97886 97887 6c1c1dea 97886->97887 97894 6c30343a 97886->97894 97887->97851 97893 6c2ffc53 18 API calls __cftoe 97887->97893 97889 6c2fab8c 97889->97887 97905 6c303148 65 API calls 97889->97905 97891 6c2faba7 97891->97887 97906 6c304208 97891->97906 97893->97855 97895 6c303445 __wsopen_s 97894->97895 97896 6c303458 97895->97896 97897 6c303478 97895->97897 97931 6c303810 18 API calls __cftoe 97896->97931 97899 6c303468 97897->97899 97917 6c30e4fc 97897->97917 97899->97889 97905->97891 97907 6c304214 __wsopen_s 97906->97907 97908 6c304233 97907->97908 97909 6c30421e 97907->97909 97914 6c30422e 97908->97914 98112 6c2ffc99 EnterCriticalSection 97908->98112 98127 6c303810 18 API calls __cftoe 97909->98127 97911 6c304250 98113 6c30428c 97911->98113 97914->97887 97915 6c30425b 98128 6c304282 LeaveCriticalSection 97915->98128 97918 6c30e508 __wsopen_s 97917->97918 97933 6c303a8f EnterCriticalSection 97918->97933 97920 6c30e516 97934 6c30e5a0 97920->97934 97925 6c30e662 97926 6c30e781 97925->97926 97958 6c30e804 97926->97958 97929 6c3034bc 97932 6c3034e5 LeaveCriticalSection 97929->97932 97931->97899 97932->97899 97933->97920 97942 6c30e5c3 97934->97942 97935 6c30e523 97948 6c30e55c 97935->97948 97936 6c30e61b 97953 6c30a8d5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 97936->97953 97939 6c30e624 97954 6c307eab HeapFree GetLastError _free 97939->97954 97941 6c30e62d 97941->97935 97955 6c30a30f 6 API calls std::_Lockit::_Lockit 97941->97955 97942->97935 97942->97936 97942->97942 97951 6c2ffc99 EnterCriticalSection 97942->97951 97952 6c2ffcad LeaveCriticalSection 97942->97952 97944 6c30e64c 97956 6c2ffc99 EnterCriticalSection 97944->97956 97947 6c30e65f 97947->97935 97957 6c303aa6 LeaveCriticalSection 97948->97957 97950 6c303493 97950->97899 97950->97925 97951->97942 97952->97942 97953->97939 97954->97941 97955->97944 97956->97947 97957->97950 97959 6c30e823 97958->97959 97960 6c30e836 97959->97960 97964 6c30e84b 97959->97964 97974 6c303810 18 API calls __cftoe 97960->97974 97962 6c30e797 97962->97929 97971 6c3176ce 97962->97971 97969 6c30e96b 97964->97969 97975 6c317598 37 API calls __cftoe 97964->97975 97966 6c30e9bb 97966->97969 97976 6c317598 37 API calls __cftoe 97966->97976 97968 6c30e9d9 97968->97969 97977 6c317598 37 API calls __cftoe 97968->97977 97969->97962 97978 6c303810 18 API calls __cftoe 97969->97978 97979 6c317a86 97971->97979 97974->97962 97975->97966 97976->97968 97977->97969 97978->97962 97980 6c317a92 __wsopen_s 97979->97980 97981 6c317a99 97980->97981 97982 6c317ac4 97980->97982 97997 6c303810 18 API calls __cftoe 97981->97997 97988 6c3176ee 97982->97988 97987 6c3176e9 97987->97929 97999 6c303dbb 97988->97999 97994 6c317724 97996 6c317756 97994->97996 98039 6c307eab HeapFree GetLastError _free 97994->98039 97998 6c317b1b LeaveCriticalSection __wsopen_s 97996->97998 97997->97987 97998->97987 98040 6c2ff3db 97999->98040 98003 6c303ddf 98004 6c2ff4e6 98003->98004 98049 6c2ff53e 98004->98049 98006 6c2ff4fe 98006->97994 98007 6c31775c 98006->98007 98064 6c317bdc 98007->98064 98013 6c317882 GetFileType 98016 6c3178d4 98013->98016 98017 6c31788d GetLastError 98013->98017 98014 6c31778e __dosmaperr 98014->97994 98015 6c317857 GetLastError 98015->98014 98094 6c314ea0 SetStdHandle __dosmaperr __wsopen_s 98016->98094 98093 6c3030e2 __dosmaperr _free 98017->98093 98018 6c317805 98018->98013 98018->98015 98092 6c317b47 CreateFileW 98018->98092 98020 6c31789b CloseHandle 98020->98014 98036 6c3178c4 98020->98036 98023 6c31784a 98023->98013 98023->98015 98024 6c3178f5 98025 6c317941 98024->98025 98095 6c317d56 70 API calls 2 library calls 98024->98095 98029 6c317948 98025->98029 98109 6c317e00 70 API calls 2 library calls 98025->98109 98028 6c317976 98028->98029 98030 6c317984 98028->98030 98096 6c30f015 98029->98096 98030->98014 98032 6c317a00 CloseHandle 98030->98032 98110 6c317b47 CreateFileW 98032->98110 98034 6c317a2b 98035 6c317a35 GetLastError 98034->98035 98034->98036 98037 6c317a41 __dosmaperr 98035->98037 98036->98014 98111 6c314e0f SetStdHandle __dosmaperr __wsopen_s 98037->98111 98039->97996 98041 6c2ff3fb 98040->98041 98042 6c2ff3f2 98040->98042 98041->98042 98043 6c3080a2 __Getctype 37 API calls 98041->98043 98042->98003 98048 6c30a0c5 5 API calls std::_Lockit::_Lockit 98042->98048 98044 6c2ff41b 98043->98044 98045 6c308618 __Getctype 37 API calls 98044->98045 98046 6c2ff431 98045->98046 98047 6c308645 __cftoe 37 API calls 98046->98047 98047->98042 98048->98003 98050 6c2ff54c 98049->98050 98051 6c2ff566 98049->98051 98052 6c2ff4cc __wsopen_s HeapFree GetLastError 98050->98052 98053 6c2ff56d 98051->98053 98054 6c2ff58c 98051->98054 98058 6c2ff556 __dosmaperr 98052->98058 98056 6c2ff48d __wsopen_s HeapFree GetLastError 98053->98056 98053->98058 98055 6c307f33 __fassign MultiByteToWideChar 98054->98055 98060 6c2ff59b 98055->98060 98056->98058 98057 6c2ff5a2 GetLastError 98057->98058 98058->98006 98059 6c2ff5c8 98059->98058 98061 6c307f33 __fassign MultiByteToWideChar 98059->98061 98060->98057 98060->98059 98062 6c2ff48d __wsopen_s HeapFree GetLastError 98060->98062 98063 6c2ff5df 98061->98063 98062->98059 98063->98057 98063->98058 98065 6c317c17 98064->98065 98067 6c317bfd 98064->98067 98066 6c317b6c __wsopen_s 18 API calls 98065->98066 98071 6c317c4f 98066->98071 98067->98065 98068 6c303810 __cftoe 18 API calls 98067->98068 98068->98065 98069 6c317c7e 98070 6c319001 __wsopen_s 18 API calls 98069->98070 98073 6c317779 98069->98073 98072 6c317ccc 98070->98072 98071->98069 98075 6c303810 __cftoe 18 API calls 98071->98075 98072->98073 98074 6c317d49 98072->98074 98073->98014 98078 6c314cfc 98073->98078 98076 6c30383d __Getctype 11 API calls 98074->98076 98075->98069 98077 6c317d55 98076->98077 98079 6c314d08 __wsopen_s 98078->98079 98080 6c303a8f std::_Lockit::_Lockit EnterCriticalSection 98079->98080 98082 6c314d0f 98080->98082 98081 6c314d34 98084 6c314f32 __wsopen_s 11 API calls 98081->98084 98082->98081 98087 6c314da3 EnterCriticalSection 98082->98087 98090 6c314d56 98082->98090 98083 6c314e06 __wsopen_s LeaveCriticalSection 98085 6c314d76 98083->98085 98086 6c314d39 98084->98086 98085->98014 98091 6c317b47 CreateFileW 98085->98091 98089 6c315080 __wsopen_s EnterCriticalSection 98086->98089 98086->98090 98088 6c314db0 LeaveCriticalSection 98087->98088 98087->98090 98088->98082 98089->98090 98090->98083 98091->98018 98092->98023 98093->98020 98094->98024 98095->98025 98097 6c314c92 __wsopen_s 18 API calls 98096->98097 98098 6c30f025 98097->98098 98099 6c30f02b 98098->98099 98101 6c30f05d 98098->98101 98102 6c314c92 __wsopen_s 18 API calls 98098->98102 98100 6c314e0f __wsopen_s SetStdHandle 98099->98100 98108 6c30f083 __dosmaperr 98100->98108 98101->98099 98103 6c314c92 __wsopen_s 18 API calls 98101->98103 98104 6c30f054 98102->98104 98105 6c30f069 CloseHandle 98103->98105 98106 6c314c92 __wsopen_s 18 API calls 98104->98106 98105->98099 98107 6c30f075 GetLastError 98105->98107 98106->98101 98107->98099 98108->98014 98109->98028 98110->98034 98111->98036 98112->97911 98114 6c3042ae 98113->98114 98115 6c304299 98113->98115 98120 6c3042a9 98114->98120 98129 6c3043a9 98114->98129 98151 6c303810 18 API calls __cftoe 98115->98151 98120->97915 98123 6c3042d1 98144 6c30ef88 98123->98144 98125 6c3042d7 98125->98120 98152 6c307eab HeapFree GetLastError _free 98125->98152 98127->97914 98128->97914 98130 6c3043c1 98129->98130 98134 6c3042c3 98129->98134 98131 6c30d350 18 API calls 98130->98131 98130->98134 98132 6c3043df 98131->98132 98153 6c30f25c 98132->98153 98135 6c30be2e 98134->98135 98136 6c30be45 98135->98136 98137 6c3042cb 98135->98137 98136->98137 98237 6c307eab HeapFree GetLastError _free 98136->98237 98139 6c30d350 98137->98139 98140 6c30d371 98139->98140 98141 6c30d35c 98139->98141 98140->98123 98238 6c303810 18 API calls __cftoe 98141->98238 98143 6c30d36c 98143->98123 98145 6c30efae 98144->98145 98147 6c30ef99 __dosmaperr 98144->98147 98146 6c30eff7 __dosmaperr 98145->98146 98148 6c30efd5 98145->98148 98247 6c303810 18 API calls __cftoe 98146->98247 98147->98125 98239 6c30f0b1 98148->98239 98151->98120 98152->98120 98154 6c30f268 __wsopen_s 98153->98154 98155 6c30f2ba 98154->98155 98157 6c30f323 __dosmaperr 98154->98157 98160 6c30f270 __dosmaperr 98154->98160 98164 6c315080 EnterCriticalSection 98155->98164 98194 6c303810 18 API calls __cftoe 98157->98194 98158 6c30f2c0 98162 6c30f2dc __dosmaperr 98158->98162 98165 6c30f34e 98158->98165 98160->98134 98193 6c30f31b LeaveCriticalSection __wsopen_s 98162->98193 98164->98158 98166 6c30f370 98165->98166 98185 6c30f38c __dosmaperr 98165->98185 98167 6c30f3c4 98166->98167 98169 6c30f374 __dosmaperr 98166->98169 98168 6c30f3d7 98167->98168 98203 6c30e359 20 API calls __wsopen_s 98167->98203 98195 6c30f530 98168->98195 98202 6c303810 18 API calls __cftoe 98169->98202 98174 6c30f42c 98176 6c30f440 98174->98176 98177 6c30f485 WriteFile 98174->98177 98175 6c30f3ed 98178 6c30f3f1 98175->98178 98179 6c30f416 98175->98179 98182 6c30f475 98176->98182 98183 6c30f44b 98176->98183 98180 6c30f4a9 GetLastError 98177->98180 98177->98185 98178->98185 98204 6c30f94b 6 API calls __wsopen_s 98178->98204 98205 6c30f5a1 43 API calls 5 library calls 98179->98205 98180->98185 98208 6c30f9b3 7 API calls 2 library calls 98182->98208 98186 6c30f450 98183->98186 98187 6c30f465 98183->98187 98185->98162 98186->98185 98190 6c30f455 98186->98190 98207 6c30fb77 8 API calls 3 library calls 98187->98207 98189 6c30f463 98189->98185 98206 6c30fa8e 7 API calls 2 library calls 98190->98206 98193->98160 98194->98160 98196 6c3150d5 __wsopen_s 18 API calls 98195->98196 98197 6c30f541 98196->98197 98198 6c30f3e8 98197->98198 98209 6c3080a2 GetLastError 98197->98209 98198->98174 98198->98175 98201 6c30f57e GetConsoleMode 98201->98198 98202->98185 98203->98168 98204->98185 98205->98185 98206->98189 98207->98189 98208->98189 98210 6c3080bf 98209->98210 98211 6c3080b9 98209->98211 98212 6c30a252 __Getctype 6 API calls 98210->98212 98216 6c3080c5 SetLastError 98210->98216 98213 6c30a213 __Getctype 6 API calls 98211->98213 98214 6c3080dd 98212->98214 98213->98210 98215 6c3080e1 98214->98215 98214->98216 98217 6c30a8d5 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 98215->98217 98222 6c308153 98216->98222 98223 6c308159 98216->98223 98219 6c3080ed 98217->98219 98220 6c3080f5 98219->98220 98221 6c30810c 98219->98221 98225 6c30a252 __Getctype 6 API calls 98220->98225 98224 6c30a252 __Getctype 6 API calls 98221->98224 98222->98198 98222->98201 98226 6c3041b9 __Getctype 35 API calls 98223->98226 98227 6c308118 98224->98227 98228 6c308103 98225->98228 98229 6c30815e 98226->98229 98230 6c30811c 98227->98230 98231 6c30812d 98227->98231 98233 6c307eab _free HeapFree GetLastError 98228->98233 98232 6c30a252 __Getctype 6 API calls 98230->98232 98235 6c307eab _free HeapFree GetLastError 98231->98235 98232->98228 98234 6c308109 98233->98234 98234->98216 98236 6c30813f 98235->98236 98236->98216 98237->98137 98238->98143 98240 6c30f0bd __wsopen_s 98239->98240 98248 6c315080 EnterCriticalSection 98240->98248 98242 6c30f0cb 98243 6c30f015 __wsopen_s 21 API calls 98242->98243 98244 6c30f0f8 98242->98244 98243->98244 98249 6c30f131 LeaveCriticalSection __wsopen_s 98244->98249 98246 6c30f11a 98246->98147 98247->98147 98248->98242 98249->98246 98250->97750 98251->97755 98252->97750 98253->97750 98254->97750 98256 6c1c022e 98255->98256 98257 6c1970c4 98256->98257 98262 6c304ecb 98256->98262 98257->97762 98259->97764 98260->97766 98261->97768 98263 6c304ef6 98262->98263 98264 6c304ed9 98262->98264 98263->98256 98264->98263 98265 6c304ee6 98264->98265 98266 6c304efa 98264->98266 98278 6c303810 18 API calls __cftoe 98265->98278 98270 6c3050f2 98266->98270 98271 6c3050fe __wsopen_s 98270->98271 98279 6c2ffc99 EnterCriticalSection 98271->98279 98273 6c30510c 98280 6c3050af 98273->98280 98277 6c304f2c 98277->98256 98278->98263 98279->98273 98288 6c30bc96 98280->98288 98286 6c3050e9 98287 6c305141 LeaveCriticalSection 98286->98287 98287->98277 98289 6c30d350 18 API calls 98288->98289 98290 6c30bca7 98289->98290 98291 6c3150d5 __wsopen_s 18 API calls 98290->98291 98292 6c30bcad __wsopen_s 98291->98292 98293 6c3050c3 98292->98293 98305 6c307eab HeapFree GetLastError _free 98292->98305 98295 6c304f2e 98293->98295 98297 6c304f40 98295->98297 98299 6c304f5e 98295->98299 98296 6c304f4e 98306 6c303810 18 API calls __cftoe 98296->98306 98297->98296 98297->98299 98302 6c304f76 _Yarn 98297->98302 98304 6c30bd49 62 API calls 98299->98304 98300 6c3043a9 62 API calls 98300->98302 98301 6c30d350 18 API calls 98301->98302 98302->98299 98302->98300 98302->98301 98303 6c30f25c __wsopen_s 62 API calls 98302->98303 98303->98302 98304->98286 98305->98293 98306->98299 98308 6c2f9715 98307->98308 98309 6c1c2020 52 API calls 98308->98309 98310 6c2f97b6 98309->98310 98311 6c2fa133 std::_Facet_Register 4 API calls 98310->98311 98312 6c2f97ee 98311->98312 98313 6c2faa17 43 API calls 98312->98313 98314 6c2f9802 98313->98314 98315 6c1c1d90 89 API calls 98314->98315 98316 6c2f98ab 98315->98316 98317 6c2f98dc 98316->98317 98361 6c1c2250 30 API calls 98316->98361 98317->97779 98319 6c2f9916 98362 6c1c26e0 24 API calls 4 library calls 98319->98362 98321 6c2f9928 98363 6c2fca69 RaiseException 98321->98363 98323 6c2f993d 98364 6c1be010 67 API calls 98323->98364 98325 6c2f994f 98325->97779 98327 6c2f9a7d 98326->98327 98365 6c2f9c90 98327->98365 98329 6c2f9b6c 98329->97785 98333 6c2f9a95 98333->98329 98383 6c1c2250 30 API calls 98333->98383 98384 6c1c26e0 24 API calls 4 library calls 98333->98384 98385 6c2fca69 RaiseException 98333->98385 98335 6c1d304f 98334->98335 98338 6c1d3063 98335->98338 98394 6c1c3560 32 API calls std::_Xinvalid_argument 98335->98394 98339 6c1d311e 98338->98339 98396 6c1c2250 30 API calls 98338->98396 98397 6c1c26e0 24 API calls 4 library calls 98338->98397 98398 6c2fca69 RaiseException 98338->98398 98340 6c1d3131 98339->98340 98395 6c1c37e0 32 API calls std::_Xinvalid_argument 98339->98395 98340->97785 98345 6c2f928e 98344->98345 98348 6c2f92c1 98344->98348 98346 6c1c01f0 64 API calls 98345->98346 98349 6c2f92b4 98346->98349 98347 6c2f9373 98347->97790 98348->98347 98399 6c1c2250 30 API calls 98348->98399 98351 6c304208 67 API calls 98349->98351 98351->98348 98352 6c2f939e 98400 6c1c2340 24 API calls 98352->98400 98354 6c2f93ae 98401 6c2fca69 RaiseException 98354->98401 98356 6c2f93b9 98402 6c1be010 67 API calls 98356->98402 98358 6c2f9412 std::ios_base::_Ios_base_dtor 98358->97790 98359->97782 98360->97787 98361->98319 98362->98321 98363->98323 98364->98325 98366 6c2f9ccc 98365->98366 98367 6c2f9cf8 98365->98367 98381 6c2f9cf1 98366->98381 98388 6c1c2250 30 API calls 98366->98388 98372 6c2f9d09 98367->98372 98386 6c1c3560 32 API calls std::_Xinvalid_argument 98367->98386 98370 6c2f9ed8 98389 6c1c2340 24 API calls 98370->98389 98372->98381 98387 6c1c2f60 42 API calls 4 library calls 98372->98387 98373 6c2f9ee7 98390 6c2fca69 RaiseException 98373->98390 98377 6c2f9f17 98392 6c1c2340 24 API calls 98377->98392 98379 6c2f9f2d 98393 6c2fca69 RaiseException 98379->98393 98381->98333 98382 6c2f9d43 98382->98381 98391 6c1c2250 30 API calls 98382->98391 98383->98333 98384->98333 98385->98333 98386->98372 98387->98382 98388->98370 98389->98373 98390->98382 98391->98377 98392->98379 98393->98381 98394->98338 98395->98340 98396->98338 98397->98338 98398->98338 98399->98352 98400->98354 98401->98356 98402->98358 98403 6c173d62 98406 6c173bc0 98403->98406 98404 6c173e8a GetCurrentThread NtSetInformationThread 98405 6c173eea 98404->98405 98406->98404 98407 6c18f150 98409 6c18efbe 98407->98409 98408 6c18f243 CreateFileA 98412 6c18f2a7 98408->98412 98409->98408 98410 6c1902ca 98411 6c1902ac GetCurrentProcess TerminateProcess 98411->98410 98412->98410 98412->98411 98413 6c30262f 98414 6c30263b __wsopen_s 98413->98414 98415 6c302642 GetLastError ExitThread 98414->98415 98416 6c30264f 98414->98416 98417 6c3080a2 __Getctype 37 API calls 98416->98417 98418 6c302654 98417->98418 98425 6c30d456 98418->98425 98421 6c30266b 98431 6c30259a 16 API calls 2 library calls 98421->98431 98424 6c30268d 98426 6c30265f 98425->98426 98427 6c30d468 GetPEB 98425->98427 98426->98421 98430 6c30a45f 5 API calls std::_Lockit::_Lockit 98426->98430 98427->98426 98428 6c30d47b 98427->98428 98432 6c30a508 5 API calls std::_Lockit::_Lockit 98428->98432 98430->98421 98431->98424 98432->98426

                            Executed Functions

                            Function 6C174754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: HR^
                            • API String ID: 4218353326-1341859651
                            • Opcode ID: d36633ab194f707a6a47e251d969c104c86bc2791f691f7df7497f7dccdbb4fc
                            • Instruction ID: 75d615c66b795ace3507e9cab95c9824e8924f6ab9d2e2efdbc2697c1119e67f
                            • Opcode Fuzzy Hash: d36633ab194f707a6a47e251d969c104c86bc2791f691f7df7497f7dccdbb4fc
                            • Instruction Fuzzy Hash: 7D741571645B018FC738CF28C8D0695B7F3EF95318B198A6DC0A68BB55EB38B54ACB50
                            Function 6C2F8930 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4604 6c2f8930-6c2f8964 CreateToolhelp32Snapshot 4605 6c2f8980-6c2f8989 4604->4605 4606 6c2f898b-6c2f8990 4605->4606 4607 6c2f89d0-6c2f89d5 4605->4607 4608 6c2f8a0d-6c2f8a12 4606->4608 4609 6c2f8992-6c2f8997 4606->4609 4610 6c2f89d7-6c2f89dc 4607->4610 4611 6c2f8a34-6c2f8a62 call 6c2ff010 Process32FirstW 4607->4611 4616 6c2f8a8b-6c2f8a90 4608->4616 4617 6c2f8a14-6c2f8a2f CloseHandle 4608->4617 4612 6c2f8999-6c2f899e 4609->4612 4613 6c2f8966-6c2f8973 4609->4613 4614 6c2f8a64-6c2f8a71 Process32NextW 4610->4614 4615 6c2f89e2-6c2f89e7 4610->4615 4619 6c2f8a76-6c2f8a86 4611->4619 4612->4605 4621 6c2f89a0-6c2f89ca call 6c3062f5 4612->4621 4613->4605 4614->4619 4615->4605 4622 6c2f89e9-6c2f8a08 4615->4622 4616->4605 4620 6c2f8a96-6c2f8aa4 4616->4620 4617->4605 4619->4605 4621->4605 4622->4605
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C2F893E
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: CreateSnapshotToolhelp32
                            • String ID:
                            • API String ID: 3332741929-0
                            • Opcode ID: 5b7e7ffef1755075976f05f6257dba437e807c23a9fdc60a0a0872ff2e6b16cf
                            • Instruction ID: f82af291df3f48744feb90cef9e89e2f21da0acb1f69cd7a33e6b9b5d54adeb6
                            • Opcode Fuzzy Hash: 5b7e7ffef1755075976f05f6257dba437e807c23a9fdc60a0a0872ff2e6b16cf
                            • Instruction Fuzzy Hash: B8315F7024930A9BDB01DF19C884B5AFBE4AF86704F54492EF8E8D6360D731D8468B53
                            Function 6C173886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4877 6c173886-6c17388e 4878 6c173894-6c173896 4877->4878 4879 6c173970-6c17397d 4877->4879 4878->4879 4882 6c17389c-6c1738b9 4878->4882 4880 6c1739f1-6c1739f8 4879->4880 4881 6c17397f-6c173989 4879->4881 4884 6c173ab5-6c173aba 4880->4884 4885 6c1739fe-6c173a03 4880->4885 4881->4882 4883 6c17398f-6c173994 4881->4883 4886 6c1738c0-6c1738c1 4882->4886 4888 6c173b16-6c173b18 4883->4888 4889 6c17399a-6c17399f 4883->4889 4884->4882 4887 6c173ac0-6c173ac7 4884->4887 4890 6c1738d2-6c1738d4 4885->4890 4891 6c173a09-6c173a2f 4885->4891 4892 6c17395e 4886->4892 4887->4886 4894 6c173acd-6c173ad6 4887->4894 4888->4886 4895 6c1739a5-6c1739bf 4889->4895 4896 6c17383b-6c173855 call 6c2c2a20 call 6c2c2a30 4889->4896 4899 6c173957-6c17395c 4890->4899 4897 6c173a35-6c173a3a 4891->4897 4898 6c1738f8-6c173955 4891->4898 4893 6c173960-6c173964 4892->4893 4901 6c173860-6c173885 4893->4901 4902 6c17396a 4893->4902 4894->4888 4903 6c173ad8-6c173aeb 4894->4903 4904 6c173a5a-6c173a5d 4895->4904 4896->4901 4905 6c173a40-6c173a57 4897->4905 4906 6c173b1d-6c173b22 4897->4906 4898->4899 4899->4892 4901->4877 4908 6c173ba1-6c173bb6 4902->4908 4903->4898 4909 6c173af1-6c173af8 4903->4909 4913 6c173aa9-6c173ab0 4904->4913 4905->4904 4911 6c173b24-6c173b44 4906->4911 4912 6c173b49-6c173b50 4906->4912 4920 6c173bc0-6c173bda call 6c2c2a20 call 6c2c2a30 4908->4920 4915 6c173b62-6c173b85 4909->4915 4916 6c173afa-6c173aff 4909->4916 4911->4913 4912->4886 4919 6c173b56-6c173b5d 4912->4919 4913->4893 4915->4898 4924 6c173b8b 4915->4924 4916->4899 4919->4893 4928 6c173be0-6c173bfe 4920->4928 4924->4908 4931 6c173c04-6c173c11 4928->4931 4932 6c173e7b 4928->4932 4934 6c173c17-6c173c20 4931->4934 4935 6c173ce0-6c173cea 4931->4935 4933 6c173e81-6c173ee0 call 6c173750 GetCurrentThread NtSetInformationThread 4932->4933 4949 6c173eea-6c173f04 call 6c2c2a20 call 6c2c2a30 4933->4949 4936 6c173c26-6c173c2d 4934->4936 4937 6c173dc5 4934->4937 4938 6c173cec-6c173d0c 4935->4938 4939 6c173d3a-6c173d3c 4935->4939 4945 6c173dc3 4936->4945 4946 6c173c33-6c173c3a 4936->4946 4944 6c173dc6 4937->4944 4947 6c173d90-6c173d95 4938->4947 4941 6c173d70-6c173d8d 4939->4941 4942 6c173d3e-6c173d45 4939->4942 4941->4947 4948 6c173d50-6c173d57 4942->4948 4952 6c173dc8-6c173dcc 4944->4952 4945->4937 4953 6c173e26-6c173e2b 4946->4953 4954 6c173c40-6c173c5b 4946->4954 4950 6c173d97-6c173db8 4947->4950 4951 6c173dba-6c173dc1 4947->4951 4948->4944 4971 6c173f75-6c173fa1 4949->4971 4950->4937 4951->4945 4956 6c173dd7-6c173ddc 4951->4956 4952->4928 4957 6c173dd2 4952->4957 4958 6c173e31 4953->4958 4959 6c173c7b-6c173cd0 4953->4959 4960 6c173e1b-6c173e24 4954->4960 4963 6c173e36-6c173e3d 4956->4963 4964 6c173dde-6c173e17 4956->4964 4961 6c173e76-6c173e79 4957->4961 4958->4920 4959->4948 4960->4952 4960->4961 4961->4933 4967 6c173e3f-6c173e5a 4963->4967 4968 6c173e5c-6c173e5f 4963->4968 4964->4960 4967->4960 4968->4959 4969 6c173e65-6c173e69 4968->4969 4969->4952 4969->4961 4975 6c173fa3-6c173fa8 4971->4975 4976 6c174020-6c174026 4971->4976 4979 6c173fae-6c173fcf 4975->4979 4980 6c17407c-6c174081 4975->4980 4977 6c173f06-6c173f35 4976->4977 4978 6c17402c-6c17403c 4976->4978 4981 6c173f38-6c173f61 4977->4981 4982 6c1740b3-6c1740b8 4978->4982 4983 6c17403e-6c174058 4978->4983 4985 6c1740aa-6c1740ae 4979->4985 4984 6c174083-6c17408a 4980->4984 4980->4985 4986 6c173f64-6c173f67 4981->4986 4982->4979 4990 6c1740be-6c1740c9 4982->4990 4987 6c17405a-6c174063 4983->4987 4984->4981 4988 6c174090 4984->4988 4989 6c173f6b-6c173f6f 4985->4989 4992 6c173f69 4986->4992 4993 6c1740f5-6c17413f 4987->4993 4994 6c174069-6c17406c 4987->4994 4988->4949 4995 6c1740a7 4988->4995 4989->4971 4990->4985 4991 6c1740cb-6c1740d4 4990->4991 4991->4995 4996 6c1740d6-6c1740f0 4991->4996 4992->4989 4993->4992 4998 6c174144-6c17414b 4994->4998 4999 6c174072-6c174077 4994->4999 4995->4985 4996->4987 4998->4989 4999->4986
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3e44ba9496f81cc02c2bfc1792f07479f3086cb60c44af0ebce7929805d07d18
                            • Instruction ID: afeb805e5fc98251aeec6ed4ca12d0d973c2111af4fe732e371d7d9aa5c6e3b3
                            • Opcode Fuzzy Hash: 3e44ba9496f81cc02c2bfc1792f07479f3086cb60c44af0ebce7929805d07d18
                            • Instruction Fuzzy Hash: 8232E532245B018FC334CF28C890695B7E3EFD53147AA8A6DC0EA5BA95D775B44BCB60
                            Function 6C173A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: 735398fdc38b671f8be010ece68e8195977d477662714790c9e01e5e14304251
                            • Instruction ID: 2ff39f0b4d3282e008c4388516357c84824b44a6ae779d62f164d2a33b556ab0
                            • Opcode Fuzzy Hash: 735398fdc38b671f8be010ece68e8195977d477662714790c9e01e5e14304251
                            • Instruction Fuzzy Hash: 5551E271244B018FC331CF28C8847C5B7A3BF95314FAA8B5DC0EA5BA95DB75B44A8B61
                            Function 6C1739CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: 08b7aee46c3bb072ca82c9f69e2948e5b474a7168853ab3226c880fea12cb502
                            • Instruction ID: 4c0f2b3e71a5a59f67ee57cfec3c112ce5230f0d4c84d9163aae3b24c654a346
                            • Opcode Fuzzy Hash: 08b7aee46c3bb072ca82c9f69e2948e5b474a7168853ab3226c880fea12cb502
                            • Instruction Fuzzy Hash: 2F51B071144B018FC330CF28C480795B7A3BF96314FAA8B5DC0EA5BA95DB75B44B8BA1
                            Function 6C173D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6C173E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C173EAA
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: 594512983b3d1f86fc3cffe6b5bb6cf9a55affb613512300a41ab1c545cc9084
                            • Instruction ID: 4f1234edf0404fa1330dd6ae8f6042f047bb0575a72b3e14598252c3dbc76f4f
                            • Opcode Fuzzy Hash: 594512983b3d1f86fc3cffe6b5bb6cf9a55affb613512300a41ab1c545cc9084
                            • Instruction Fuzzy Hash: 7531F671255B01CFC730CF34C8947C6B7A3AF96314FAA4A5DC0A65BA81DB78700A9B62
                            Function 6C173D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6C173E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C173EAA
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: 78f8a3bc645f5e38a4362dbe581028d26fd1351e1dc0eb25f38b3050fad2c4f4
                            • Instruction ID: 91737fe79429eb9b5e55858ec9fd6d56efaca6733122f645f5534335d590d0de
                            • Opcode Fuzzy Hash: 78f8a3bc645f5e38a4362dbe581028d26fd1351e1dc0eb25f38b3050fad2c4f4
                            • Instruction Fuzzy Hash: 3131F371114701CFC734CF28C494796B7A7AF56304FAA4E5CC0EA5BA81DB75B446CBA2
                            Function 6C2F8810 Relevance: 3.1, APIs: 2, Instructions: 72serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C2F8820
                            • OpenServiceA.ADVAPI32(?,?,00000004), ref: 6C2F88C5
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Open$ManagerService
                            • String ID:
                            • API String ID: 2351955762-0
                            • Opcode ID: a79a8e318b808e5a51f6302d1a2b6d91ec53cecb31749283e4e529e2d3a059a9
                            • Instruction ID: 947955a419ffcc353a6fe67f4d7f487f8f82a4815edbc3cfa790b17e7af46478
                            • Opcode Fuzzy Hash: a79a8e318b808e5a51f6302d1a2b6d91ec53cecb31749283e4e529e2d3a059a9
                            • Instruction Fuzzy Hash: 2C311A7455830EAFC700CF29C845A0EFBF0AB8A755F548C5AF8A4D7361D271C8498B63
                            Function 6C173C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6C173E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C173EAA
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: 5aae0fed5dbd7c9a0d5f0288cc3fb5635b2c7b1983f1232a64505223912890c7
                            • Instruction ID: c0c17edba3c2efdfa9175c021b2682905bcf597437491d53fdf55ed9d1c1b6cb
                            • Opcode Fuzzy Hash: 5aae0fed5dbd7c9a0d5f0288cc3fb5635b2c7b1983f1232a64505223912890c7
                            • Instruction Fuzzy Hash: 3B21C470258701CFD734CF34C8947D6B7B6AF56304FA94A1DC0AA8BA90DF79B4099B62
                            Function 6C2EE090 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileA.KERNEL32(?,?), ref: 6C2EE0AC
                            • FindClose.KERNEL32(000000FF), ref: 6C2EE0E2
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Find$CloseFileFirst
                            • String ID:
                            • API String ID: 2295610775-0
                            • Opcode ID: 371eca8ec3352b14ddda17356034e87a874b52db7e6440c716c38ff1f2f26c59
                            • Instruction ID: da5e1da9840bb28421e535a56deb1d15cf7416603c282f66a8b0054b411ddac6
                            • Opcode Fuzzy Hash: 371eca8ec3352b14ddda17356034e87a874b52db7e6440c716c38ff1f2f26c59
                            • Instruction Fuzzy Hash: AE11607451C355DFC7108F28C94490A7BF4AB8A315F544D4AF8A8E7790DB30C984CB83
                            Function 6C3101C3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3722 6c3101c3-6c3101d3 3723 6c3101d5-6c3101e8 call 6c3030cf call 6c3030bc 3722->3723 3724 6c3101ed-6c3101ef 3722->3724 3738 6c31056c 3723->3738 3726 6c3101f5-6c3101fb 3724->3726 3727 6c310554-6c310561 call 6c3030cf call 6c3030bc 3724->3727 3726->3727 3730 6c310201-6c310227 3726->3730 3744 6c310567 call 6c303810 3727->3744 3730->3727 3733 6c31022d-6c310236 3730->3733 3736 6c310250-6c310252 3733->3736 3737 6c310238-6c31024b call 6c3030cf call 6c3030bc 3733->3737 3741 6c310550-6c310552 3736->3741 3742 6c310258-6c31025b 3736->3742 3737->3744 3743 6c31056f-6c310572 3738->3743 3741->3743 3742->3741 3746 6c310261-6c310265 3742->3746 3744->3738 3746->3737 3747 6c310267-6c31027e 3746->3747 3750 6c310280-6c310283 3747->3750 3751 6c3102cf-6c3102d5 3747->3751 3753 6c310293-6c310299 3750->3753 3754 6c310285-6c31028e 3750->3754 3755 6c3102d7-6c3102e1 3751->3755 3756 6c31029b-6c3102b2 call 6c3030cf call 6c3030bc call 6c303810 3751->3756 3753->3756 3758 6c3102b7-6c3102ca 3753->3758 3757 6c310353-6c310363 3754->3757 3760 6c3102e3-6c3102e5 3755->3760 3761 6c3102e8-6c310306 call 6c307ee5 call 6c307eab * 2 3755->3761 3788 6c310487 3756->3788 3764 6c310369-6c310375 3757->3764 3765 6c310428-6c310431 call 6c3150d5 3757->3765 3758->3757 3760->3761 3792 6c310323-6c31034c call 6c30e359 3761->3792 3793 6c310308-6c31031e call 6c3030bc call 6c3030cf 3761->3793 3764->3765 3766 6c31037b-6c31037d 3764->3766 3777 6c310433-6c310445 3765->3777 3778 6c3104a4 3765->3778 3766->3765 3770 6c310383-6c3103a7 3766->3770 3770->3765 3774 6c3103a9-6c3103bf 3770->3774 3774->3765 3779 6c3103c1-6c3103c3 3774->3779 3777->3778 3783 6c310447-6c310456 GetConsoleMode 3777->3783 3781 6c3104a8-6c3104c0 ReadFile 3778->3781 3779->3765 3784 6c3103c5-6c3103eb 3779->3784 3786 6c3104c2-6c3104c8 3781->3786 3787 6c31051c-6c310527 GetLastError 3781->3787 3783->3778 3789 6c310458-6c31045c 3783->3789 3784->3765 3791 6c3103ed-6c310403 3784->3791 3786->3787 3796 6c3104ca 3786->3796 3794 6c310540-6c310543 3787->3794 3795 6c310529-6c31053b call 6c3030bc call 6c3030cf 3787->3795 3790 6c31048a-6c310494 call 6c307eab 3788->3790 3789->3781 3797 6c31045e-6c310478 ReadConsoleW 3789->3797 3790->3743 3791->3765 3801 6c310405-6c310407 3791->3801 3792->3757 3793->3788 3798 6c310480-6c310486 call 6c3030e2 3794->3798 3799 6c310549-6c31054b 3794->3799 3795->3788 3805 6c3104cd-6c3104df 3796->3805 3806 6c310499-6c3104a2 3797->3806 3807 6c31047a GetLastError 3797->3807 3798->3788 3799->3790 3801->3765 3810 6c310409-6c310423 3801->3810 3805->3790 3814 6c3104e1-6c3104e5 3805->3814 3806->3805 3807->3798 3810->3765 3818 6c3104e7-6c3104f7 call 6c3105ee 3814->3818 3819 6c3104fe-6c310509 3814->3819 3828 6c3104fa-6c3104fc 3818->3828 3820 6c310515-6c31051a call 6c3108a6 3819->3820 3821 6c31050b call 6c310573 3819->3821 3829 6c310510-6c310513 3820->3829 3821->3829 3828->3790 3829->3828
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8Q
                            • API String ID: 0-4022487301
                            • Opcode ID: f68506307155a498c8b27995d74a874add9afc959b8caf980a199304f29aaaff
                            • Instruction ID: a62633bb13d7a2738f01bac8409e38cbbfa03f8184d2fe99e34bffe940d09c49
                            • Opcode Fuzzy Hash: f68506307155a498c8b27995d74a874add9afc959b8caf980a199304f29aaaff
                            • Instruction Fuzzy Hash: D0C10370A0D2859FDF09CF99C880BADBBB4BF4A318F104559E450A7B81CB729955CF62
                            Function 6C31775C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3831 6c31775c-6c31778c call 6c317bdc 3834 6c3177a7-6c3177b3 call 6c314cfc 3831->3834 3835 6c31778e-6c317799 call 6c3030cf 3831->3835 3841 6c3177b5-6c3177ca call 6c3030cf call 6c3030bc 3834->3841 3842 6c3177cc-6c317815 call 6c317b47 3834->3842 3840 6c31779b-6c3177a2 call 6c3030bc 3835->3840 3852 6c317a81-6c317a85 3840->3852 3841->3840 3850 6c317882-6c31788b GetFileType 3842->3850 3851 6c317817-6c317820 3842->3851 3856 6c3178d4-6c3178d7 3850->3856 3857 6c31788d-6c3178be GetLastError call 6c3030e2 CloseHandle 3850->3857 3854 6c317822-6c317826 3851->3854 3855 6c317857-6c31787d GetLastError call 6c3030e2 3851->3855 3854->3855 3860 6c317828-6c317855 call 6c317b47 3854->3860 3855->3840 3858 6c3178e0-6c3178e6 3856->3858 3859 6c3178d9-6c3178de 3856->3859 3857->3840 3868 6c3178c4-6c3178cf call 6c3030bc 3857->3868 3864 6c3178e8 3858->3864 3865 6c3178ea-6c317938 call 6c314ea0 3858->3865 3859->3865 3860->3850 3860->3855 3864->3865 3874 6c317957-6c31797f call 6c317e00 3865->3874 3875 6c31793a-6c317946 call 6c317d56 3865->3875 3868->3840 3880 6c317981-6c317982 3874->3880 3881 6c317984-6c3179c5 3874->3881 3875->3874 3882 6c317948 3875->3882 3885 6c31794a-6c317952 call 6c30f015 3880->3885 3883 6c3179c7-6c3179cb 3881->3883 3884 6c3179e6-6c3179f4 3881->3884 3882->3885 3883->3884 3887 6c3179cd-6c3179e1 3883->3887 3888 6c3179fa-6c3179fe 3884->3888 3889 6c317a7f 3884->3889 3885->3852 3887->3884 3888->3889 3891 6c317a00-6c317a33 CloseHandle call 6c317b47 3888->3891 3889->3852 3894 6c317a35-6c317a61 GetLastError call 6c3030e2 call 6c314e0f 3891->3894 3895 6c317a67-6c317a7b 3891->3895 3894->3895 3895->3889
                            APIs
                              • Part of subcall function 6C317B47: CreateFileW.KERNEL32(00000000,00000000,?,6C317805,?,?,00000000,?,6C317805,00000000,0000000C), ref: 6C317B64
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C317870
                            • __dosmaperr.LIBCMT ref: 6C317877
                            • GetFileType.KERNEL32(00000000), ref: 6C317883
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C31788D
                            • __dosmaperr.LIBCMT ref: 6C317896
                            • CloseHandle.KERNEL32(00000000), ref: 6C3178B6
                            • CloseHandle.KERNEL32(6C30E7C0), ref: 6C317A03
                            • GetLastError.KERNEL32 ref: 6C317A35
                            • __dosmaperr.LIBCMT ref: 6C317A3C
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                            • String ID: 8Q
                            • API String ID: 4237864984-4022487301
                            • Opcode ID: 6444aad04ac5009ad2bd5e9922de7664e2a4a5f54f74d25a1a47f133c835efd6
                            • Instruction ID: 225fe5282e1838d365e837fd88793bb8d9a5f94a41fe11f1b4649192f40a0b6f
                            • Opcode Fuzzy Hash: 6444aad04ac5009ad2bd5e9922de7664e2a4a5f54f74d25a1a47f133c835efd6
                            • Instruction Fuzzy Hash: C8A12832A181158FCF0D9F68CC51BED7BB5AB07328F18414EE851ABB90D7368916CF52
                            Function 6C2CB4D0 Relevance: 16.6, APIs: 3, Strings: 6, Instructions: 834fileCOMMON
                            Download Yara Rule
                            APIs
                            • WriteFile.KERNEL32(?,?,00000038,?,00000000), ref: 6C2CB62F
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: FileWrite
                            • String ID: *$,=ym$-=ym$-=ym$B$H
                            • API String ID: 3934441357-3163594065
                            • Opcode ID: ab12f4f1f28400c703b342052c04c1c1f1a480cc59723cb089d0dd40ee6dee22
                            • Instruction ID: a5ea26a10f0c550fd46e567fac2f8e3ea4e9ec444e071f2fcf9f6811039bf549
                            • Opcode Fuzzy Hash: ab12f4f1f28400c703b342052c04c1c1f1a480cc59723cb089d0dd40ee6dee22
                            • Instruction Fuzzy Hash: 48729CB460934A8FCB54CF28C490A5EBBE1AF89345F188E1EF899CBB50D774D8458B43
                            Function 6C174200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: ;T55
                            • API String ID: 0-2572755013
                            • Opcode ID: f7438a9ceeca456358c4292212c84e5c897c7d57741cf2596643f6866172a57f
                            • Instruction ID: 5a5a52279212cfd74c18d41d66128c53227fa1f96be2e5c91b59806388252a8d
                            • Opcode Fuzzy Hash: f7438a9ceeca456358c4292212c84e5c897c7d57741cf2596643f6866172a57f
                            • Instruction Fuzzy Hash: 0403D431645B018FC728CF28C8D0695B7E3AFD532471ACB6DC0AA4BA95DB78B54ACF50
                            Function 6C2F86E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processsynchronizationCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4469 6c2f86e0-6c2f8767 CreateProcessA 4470 6c2f878b-6c2f8794 4469->4470 4471 6c2f8796-6c2f879b 4470->4471 4472 6c2f87b0-6c2f87fa WaitForSingleObject CloseHandle * 2 4470->4472 4473 6c2f879d-6c2f87a2 4471->4473 4474 6c2f8770-6c2f8783 4471->4474 4472->4470 4473->4470 4475 6c2f87a4-6c2f8807 4473->4475 4474->4470
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: CloseHandle$CreateObjectProcessSingleWait
                            • String ID: D
                            • API String ID: 2059082233-2746444292
                            • Opcode ID: db54afa74103c4d00d7531f28c86d95ed92922c18d3ece363d45a9d5fb3f3bba
                            • Instruction ID: 40ad9c676f04c63452ecef66d368604e01570ee1d71702ad537c850447be6dc4
                            • Opcode Fuzzy Hash: db54afa74103c4d00d7531f28c86d95ed92922c18d3ece363d45a9d5fb3f3bba
                            • Instruction Fuzzy Hash: FD31F2758193808FD740DF29D188B1AFBF0AB9A318F505A1EF8E986360D7749585CF43
                            Function 6C30F34E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4477 6c30f34e-6c30f36a 4478 6c30f370-6c30f372 4477->4478 4479 6c30f529 4477->4479 4480 6c30f394-6c30f3b5 4478->4480 4481 6c30f374-6c30f387 call 6c3030cf call 6c3030bc call 6c303810 4478->4481 4482 6c30f52b-6c30f52f 4479->4482 4483 6c30f3b7-6c30f3ba 4480->4483 4484 6c30f3bc-6c30f3c2 4480->4484 4497 6c30f38c-6c30f38f 4481->4497 4483->4484 4486 6c30f3c4-6c30f3c9 4483->4486 4484->4481 4484->4486 4488 6c30f3da-6c30f3eb call 6c30f530 4486->4488 4489 6c30f3cb-6c30f3d7 call 6c30e359 4486->4489 4498 6c30f42c-6c30f43e 4488->4498 4499 6c30f3ed-6c30f3ef 4488->4499 4489->4488 4497->4482 4500 6c30f440-6c30f449 4498->4500 4501 6c30f485-6c30f4a7 WriteFile 4498->4501 4502 6c30f3f1-6c30f3f9 4499->4502 4503 6c30f416-6c30f422 call 6c30f5a1 4499->4503 4507 6c30f475-6c30f483 call 6c30f9b3 4500->4507 4508 6c30f44b-6c30f44e 4500->4508 4504 6c30f4b2 4501->4504 4505 6c30f4a9-6c30f4af GetLastError 4501->4505 4509 6c30f4bb-6c30f4be 4502->4509 4510 6c30f3ff-6c30f40c call 6c30f94b 4502->4510 4513 6c30f427-6c30f42a 4503->4513 4512 6c30f4b5-6c30f4ba 4504->4512 4505->4504 4507->4513 4515 6c30f450-6c30f453 4508->4515 4516 6c30f465-6c30f473 call 6c30fb77 4508->4516 4514 6c30f4c1-6c30f4c6 4509->4514 4520 6c30f40f-6c30f411 4510->4520 4512->4509 4513->4520 4522 6c30f524-6c30f527 4514->4522 4523 6c30f4c8-6c30f4cd 4514->4523 4515->4514 4521 6c30f455-6c30f463 call 6c30fa8e 4515->4521 4516->4513 4520->4512 4521->4513 4522->4482 4525 6c30f4f9-6c30f505 4523->4525 4526 6c30f4cf-6c30f4d4 4523->4526 4529 6c30f507-6c30f50a 4525->4529 4530 6c30f50c-6c30f51f call 6c3030bc call 6c3030cf 4525->4530 4532 6c30f4d6-6c30f4e8 call 6c3030bc call 6c3030cf 4526->4532 4533 6c30f4ed-6c30f4f4 call 6c3030e2 4526->4533 4529->4479 4529->4530 4530->4497 4532->4497 4533->4497
                            APIs
                              • Part of subcall function 6C30F5A1: GetConsoleCP.KERNEL32(?,6C30E7C0,?), ref: 6C30F5E9
                            • WriteFile.KERNEL32(?,?,6C317DDC,00000000,00000000,?,00000000,00000000,6C3191A6,00000000,00000000,?,00000000,6C30E7C0,6C317DDC,00000000), ref: 6C30F49F
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C317DDC,6C30E7C0,00000000,?,?,?,?,00000000,?), ref: 6C30F4A9
                            • __dosmaperr.LIBCMT ref: 6C30F4EE
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ConsoleErrorFileLastWrite__dosmaperr
                            • String ID: 8Q
                            • API String ID: 251514795-4022487301
                            • Opcode ID: 6c69b513506aaff767de7762227477d94a80866b1cdcbe3462cf76bef1517907
                            • Instruction ID: 72315a31a05e6e485d8fb55c225ab8e5b3f4683112716a4cb7e8eaabb442582e
                            • Opcode Fuzzy Hash: 6c69b513506aaff767de7762227477d94a80866b1cdcbe3462cf76bef1517907
                            • Instruction Fuzzy Hash: C351D573B0120AABDB00DFA8C880BDEBBB9EF0E32CF140555D910A7A51D775D9458F6A
                            Function 6C2F9280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4544 6c2f9280-6c2f928c 4545 6c2f928e-6c2f9299 4544->4545 4546 6c2f92cd 4544->4546 4547 6c2f92af-6c2f92bc call 6c1c01f0 call 6c304208 4545->4547 4548 6c2f929b-6c2f92ad 4545->4548 4549 6c2f92cf-6c2f9347 4546->4549 4558 6c2f92c1-6c2f92cb 4547->4558 4548->4547 4551 6c2f9349-6c2f9371 4549->4551 4552 6c2f9373-6c2f9379 4549->4552 4551->4552 4553 6c2f937a-6c2f9439 call 6c1c2250 call 6c1c2340 call 6c2fca69 call 6c1be010 call 6c2fa778 4551->4553 4558->4549
                            APIs
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C2F9421
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Ios_base_dtorstd::ios_base::_
                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                            • API String ID: 323602529-1866435925
                            • Opcode ID: 16e46c9de167336429555b6325d5e411cb98629c2dbd424f47acc1955dd2a01a
                            • Instruction ID: 7c8fb288387ae400afa598a9152652aae527718d9bee3adef5f26a8c0f784b46
                            • Opcode Fuzzy Hash: 16e46c9de167336429555b6325d5e411cb98629c2dbd424f47acc1955dd2a01a
                            • Instruction Fuzzy Hash: CC5134B5600B048FD725CF29C485B97BBF5BB49318F008A2DD89647B90D779B90ACF90
                            Function 6C2CCEA0 Relevance: 6.2, APIs: 4, Instructions: 187fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4567 6c2ccea0-6c2ccf03 call 6c2fa260 4570 6c2ccf40-6c2ccf49 4567->4570 4571 6c2ccf4b-6c2ccf50 4570->4571 4572 6c2ccf90-6c2ccf95 4570->4572 4575 6c2ccf56-6c2ccf5b 4571->4575 4576 6c2cd000-6c2cd005 4571->4576 4573 6c2ccf9b-6c2ccfa0 4572->4573 4574 6c2cd030-6c2cd035 4572->4574 4577 6c2ccf05-6c2ccf21 WriteFile 4573->4577 4578 6c2ccfa6-6c2ccfab 4573->4578 4581 6c2cd17d-6c2cd191 4574->4581 4582 6c2cd03b-6c2cd040 4574->4582 4583 6c2cd065-6c2cd08c 4575->4583 4584 6c2ccf61-6c2ccf66 4575->4584 4579 6c2cd00b-6c2cd010 4576->4579 4580 6c2cd125-6c2cd158 call 6c2fea90 4576->4580 4590 6c2ccf30 4577->4590 4587 6c2cd0af-6c2cd120 WriteFile 4578->4587 4588 6c2ccfb1-6c2ccfb6 4578->4588 4591 6c2cd15d-6c2cd175 4579->4591 4592 6c2cd016-6c2cd01b 4579->4592 4580->4570 4589 6c2cd195-6c2cd1a2 4581->4589 4593 6c2cd046-6c2cd060 4582->4593 4594 6c2cd1a7-6c2cd1ac 4582->4594 4585 6c2ccf33-6c2ccf38 4583->4585 4595 6c2ccf6c-6c2ccf71 4584->4595 4596 6c2cd091-6c2cd0aa WriteFile 4584->4596 4585->4570 4587->4590 4588->4570 4599 6c2ccfb8-6c2ccfee call 6c2ff010 ReadFile 4588->4599 4589->4570 4590->4585 4591->4581 4592->4570 4601 6c2cd021-6c2cd02b 4592->4601 4593->4589 4594->4570 4600 6c2cd1b2-6c2cd1c0 4594->4600 4595->4570 4597 6c2ccf73-6c2ccf86 4595->4597 4596->4590 4597->4585 4599->4590 4601->4590
                            APIs
                            • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C2CCFE1
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: FileRead
                            • String ID:
                            • API String ID: 2738559852-0
                            • Opcode ID: 2d27518b8fe1912ace5d18fc5538e4f2fe493ec3471168fe5b4c844ea664da51
                            • Instruction ID: 55896fd04361361b723e5e7584a954025d16c07387e42baaca3c61df7f95df4e
                            • Opcode Fuzzy Hash: 2d27518b8fe1912ace5d18fc5538e4f2fe493ec3471168fe5b4c844ea664da51
                            • Instruction Fuzzy Hash: BF716DB0258349AFD740DF18C884B5ABBF4BF89708F50492EF898C7650D775D9858B83
                            Function 6C2CC390 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 631COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4626 6c2cc390-6c2cc406 call 6c2fa260 call 6c2ff010 4631 6c2cc426-6c2cc42f 4626->4631 4632 6c2cc490-6c2cc495 4631->4632 4633 6c2cc431-6c2cc436 4631->4633 4636 6c2cc49b-6c2cc4a0 4632->4636 4637 6c2cc570-6c2cc575 4632->4637 4634 6c2cc43c-6c2cc441 4633->4634 4635 6c2cc500-6c2cc505 4633->4635 4642 6c2cc5bf-6c2cc5c4 4634->4642 4643 6c2cc447-6c2cc44c 4634->4643 4644 6c2cc679-6c2cc67e 4635->4644 4645 6c2cc50b-6c2cc510 4635->4645 4638 6c2cc638-6c2cc63d 4636->4638 4639 6c2cc4a6-6c2cc4ab 4636->4639 4640 6c2cc57b-6c2cc580 4637->4640 4641 6c2cc6d6-6c2cc6db 4637->4641 4658 6c2cc8ab-6c2cc8b0 4638->4658 4659 6c2cc643-6c2cc648 4638->4659 4648 6c2cc796-6c2cc79b 4639->4648 4649 6c2cc4b1-6c2cc4b6 4639->4649 4650 6c2cc586-6c2cc58b 4640->4650 4651 6c2cc830-6c2cc835 4640->4651 4652 6c2cc6e1-6c2cc6e6 4641->4652 4653 6c2cc912-6c2cc917 4641->4653 4654 6c2cc5ca-6c2cc5cf 4642->4654 4655 6c2cc863-6c2cc868 4642->4655 4656 6c2cc742-6c2cc747 4643->4656 4657 6c2cc452-6c2cc457 4643->4657 4646 6c2cc684-6c2cc689 4644->4646 4647 6c2cc8e2-6c2cc8e7 4644->4647 4660 6c2cc7de-6c2cc7e3 4645->4660 4661 6c2cc516-6c2cc51b 4645->4661 4680 6c2cc68f-6c2cc694 4646->4680 4681 6c2ccb61-6c2ccb85 4646->4681 4678 6c2cc8ed-6c2cc8f2 4647->4678 4679 6c2ccdf9-6c2cce12 4647->4679 4692 6c2cc408-6c2cc418 4648->4692 4693 6c2cc7a1-6c2cc7a6 4648->4693 4682 6c2cc4bc-6c2cc4c1 4649->4682 4683 6c2cc97a-6c2cc984 4649->4683 4662 6c2cc9fe-6c2cca3a 4650->4662 4663 6c2cc591-6c2cc596 4650->4663 4666 6c2ccd6c-6c2ccd88 4651->4666 4667 6c2cc83b-6c2cc840 4651->4667 4686 6c2cc6ec-6c2cc6f1 4652->4686 4687 6c2ccc12-6c2ccc4d call 6c2ff010 call 6c2cb4d0 4652->4687 4684 6c2cc91d-6c2cc922 4653->4684 4685 6c2cce1a-6c2cce29 4653->4685 4668 6c2cc5d5-6c2cc5da 4654->4668 4669 6c2cca71-6c2cca9b call 6c2fea90 4654->4669 4670 6c2cc86e-6c2cc873 4655->4670 4671 6c2ccdb7-6c2ccdbf 4655->4671 4688 6c2cc74d-6c2cc752 4656->4688 4689 6c2ccca3-6c2cccba 4656->4689 4672 6c2cc93d-6c2cc95b 4657->4672 4673 6c2cc45d-6c2cc462 4657->4673 4676 6c2ccdda-6c2ccdf1 4658->4676 4677 6c2cc8b6-6c2cc8bb 4658->4677 4674 6c2cc64e-6c2cc653 4659->4674 4675 6c2ccb08-6c2ccb34 4659->4675 4664 6c2cc7e9-6c2cc7ee 4660->4664 4665 6c2cccfa-6c2ccd23 4660->4665 4690 6c2cc521-6c2cc526 4661->4690 4691 6c2cc9a3-6c2cc9b3 4661->4691 4713 6c2cca43-6c2cca6c 4662->4713 4712 6c2cc59c-6c2cc5a1 4663->4712 4663->4713 4694 6c2ccd28-6c2ccd67 4664->4694 4695 6c2cc7f4-6c2cc7f9 4664->4695 4665->4631 4708 6c2ccd8a-6c2ccd98 4666->4708 4697 6c2ccd9d-6c2ccdad 4667->4697 4698 6c2cc846-6c2cc84b 4667->4698 4714 6c2ccaa0-6c2ccb03 call 6c2cce50 CreateFileA 4668->4714 4715 6c2cc5e0-6c2cc5e5 4668->4715 4669->4631 4699 6c2cc879-6c2cc8a6 4670->4699 4700 6c2cce31-6c2cce36 4670->4700 4726 6c2ccdc4-6c2ccdd5 4671->4726 4672->4708 4701 6c2cc468-6c2cc46d 4673->4701 4702 6c2cc960-6c2cc975 4673->4702 4717 6c2ccb39-6c2ccb5c 4674->4717 4718 6c2cc659-6c2cc65e 4674->4718 4675->4631 4676->4679 4677->4631 4703 6c2cc8c1-6c2cc8dd 4677->4703 4678->4631 4704 6c2cc8f8-6c2cc90d 4678->4704 4679->4685 4719 6c2ccb8a-6c2ccc0d 4680->4719 4720 6c2cc69a-6c2cc69f 4680->4720 4681->4631 4705 6c2cc989-6c2cc99e 4682->4705 4706 6c2cc4c7-6c2cc4cc 4682->4706 4683->4631 4684->4631 4707 6c2cc928-6c2cc938 4684->4707 4685->4700 4722 6c2ccc77-6c2ccc88 4686->4722 4723 6c2cc6f7-6c2cc6fc 4686->4723 4752 6c2ccc52-6c2ccc72 4687->4752 4724 6c2cc758-6c2cc75d 4688->4724 4725 6c2cccc9-6c2cccd8 4688->4725 4721 6c2cccbc-6c2cccc4 4689->4721 4709 6c2cc52c-6c2cc531 4690->4709 4710 6c2cc9bd-6c2cc9c5 4690->4710 4691->4710 4696 6c2cc41d 4692->4696 4727 6c2cc7ac-6c2cc7b1 4693->4727 4728 6c2ccce0-6c2cccf5 4693->4728 4694->4631 4695->4631 4730 6c2cc7ff-6c2cc82b 4695->4730 4731 6c2cc420-6c2cc424 4696->4731 4697->4671 4698->4631 4733 6c2cc851-6c2cc85e 4698->4733 4699->4631 4700->4631 4732 6c2cce3c-6c2cce47 4700->4732 4701->4631 4734 6c2cc46f-6c2cc483 4701->4734 4702->4631 4735 6c2ccc8d-6c2ccc9e 4703->4735 4704->4631 4705->4731 4706->4631 4736 6c2cc4d2-6c2cc4fa call 6c2c2a20 call 6c2c2a30 4706->4736 4707->4726 4708->4631 4709->4631 4738 6c2cc537-6c2cc561 4709->4738 4737 6c2cc9ca-6c2cc9f9 4710->4737 4712->4631 4740 6c2cc5a7-6c2cc5ba 4712->4740 4713->4631 4714->4631 4715->4631 4742 6c2cc5eb-6c2cc633 4715->4742 4717->4631 4718->4631 4744 6c2cc664-6c2cc674 4718->4744 4719->4631 4720->4631 4745 6c2cc6a5-6c2cc6d1 4720->4745 4721->4631 4722->4735 4723->4631 4746 6c2cc702-6c2cc73d 4723->4746 4724->4631 4747 6c2cc763-6c2cc791 4724->4747 4725->4728 4726->4631 4727->4631 4729 6c2cc7b7-6c2cc7d9 4727->4729 4728->4696 4729->4708 4730->4631 4731->4631 4733->4737 4734->4726 4735->4631 4736->4631 4737->4631 4738->4631 4740->4631 4742->4631 4744->4737 4745->4631 4746->4631 4747->4721 4752->4631
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: @*Z$@*Z
                            • API String ID: 0-2842812045
                            • Opcode ID: de9707d1dbbcfd5e2c093498eb5e0ee499711fac8ca3adab3836a5a1dce6ff12
                            • Instruction ID: 507571eea387d9ecdd7de30a94647ca067beb850dc1f6f6ede62059f64e3aa85
                            • Opcode Fuzzy Hash: de9707d1dbbcfd5e2c093498eb5e0ee499711fac8ca3adab3836a5a1dce6ff12
                            • Instruction Fuzzy Hash: B7428A706093468FCB64DF18C480A6ABBE1AF89B04F248E2EF899C7765D374D945CB03
                            Function 6C30F015 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4755 6c30f015-6c30f029 call 6c314c92 4758 6c30f02b-6c30f02d 4755->4758 4759 6c30f02f-6c30f037 4755->4759 4760 6c30f07d-6c30f09d call 6c314e0f 4758->4760 4761 6c30f042-6c30f045 4759->4761 4762 6c30f039-6c30f040 4759->4762 4770 6c30f0ab 4760->4770 4771 6c30f09f-6c30f0a9 call 6c3030e2 4760->4771 4765 6c30f063-6c30f073 call 6c314c92 CloseHandle 4761->4765 4766 6c30f047-6c30f04b 4761->4766 4762->4761 4764 6c30f04d-6c30f061 call 6c314c92 * 2 4762->4764 4764->4758 4764->4765 4765->4758 4777 6c30f075-6c30f07b GetLastError 4765->4777 4766->4764 4766->4765 4775 6c30f0ad-6c30f0b0 4770->4775 4771->4775 4777->4760
                            APIs
                            • CloseHandle.KERNEL32(00000000,?,00000000,?,6C31794F), ref: 6C30F06B
                            • GetLastError.KERNEL32(?,00000000,?,6C31794F), ref: 6C30F075
                            • __dosmaperr.LIBCMT ref: 6C30F0A0
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: CloseErrorHandleLast__dosmaperr
                            • String ID:
                            • API String ID: 2583163307-0
                            • Opcode ID: 9441d8901f1da9e16251d98a03e0ef9e522045ca8b496ff0d0311c259d073525
                            • Instruction ID: ec000843b4d79a1ea4b447884245cca057e94521a6b2daeff59fb81cd215b509
                            • Opcode Fuzzy Hash: 9441d8901f1da9e16251d98a03e0ef9e522045ca8b496ff0d0311c259d073525
                            • Instruction Fuzzy Hash: 8C014E3370A2202AD6142239D8447EE376D4BCB73CF294749E96487FC1DF66C44449A5
                            Function 6C30428C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 5000 6c30428c-6c304297 5001 6c304299-6c3042ac call 6c3030bc call 6c303810 5000->5001 5002 6c3042ae-6c3042bb 5000->5002 5014 6c304300-6c304302 5001->5014 5004 6c3042f6-6c3042ff call 6c30e565 5002->5004 5005 6c3042bd-6c3042d2 call 6c3043a9 call 6c30be2e call 6c30d350 call 6c30ef88 5002->5005 5004->5014 5019 6c3042d7-6c3042dc 5005->5019 5020 6c3042e3-6c3042e7 5019->5020 5021 6c3042de-6c3042e1 5019->5021 5020->5004 5022 6c3042e9-6c3042f5 call 6c307eab 5020->5022 5021->5004 5022->5004
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8Q
                            • API String ID: 0-4022487301
                            • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                            • Instruction ID: 41fa5b144db0fba5fe0952c874e591bea2c7e015c88e712dbee054c91c86d415
                            • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                            • Instruction Fuzzy Hash: DEF0F4337017105AD6215A299C00BCB33AC8F5237CF110B19E9A097EC0DB31D60ACEE3
                            Function 6C2F9050 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                            Download Yara Rule
                            APIs
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C2F91A4
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C2F91E4
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Ios_base_dtorstd::ios_base::_
                            • String ID:
                            • API String ID: 323602529-0
                            • Opcode ID: 5f5cf0d8761052ccb95123d572efb6a695fe0f62ceed858e981aac1ae92e777c
                            • Instruction ID: 769e0e11e1751222b4d00ca3000b974a75646a94e8ead5cbf6027e579cb3e3a9
                            • Opcode Fuzzy Hash: 5f5cf0d8761052ccb95123d572efb6a695fe0f62ceed858e981aac1ae92e777c
                            • Instruction Fuzzy Hash: 0F514575201B08DBD725DF25C884BE6FBE4BB05714F448A1CE8AA47B91DB30B54ACB80
                            Function 6C30262F Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(6C329DD0,0000000C), ref: 6C302642
                            • ExitThread.KERNEL32 ref: 6C302649
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ErrorExitLastThread
                            • String ID:
                            • API String ID: 1611280651-0
                            • Opcode ID: b467dc339945f5f28e82624903ccae8b2e248a330e0fb988dfc6f77bbd09689b
                            • Instruction ID: 2eee6e35485d61e1e890557a8233943a2d30dd53aa2949271e42505ec6c219ce
                            • Opcode Fuzzy Hash: b467dc339945f5f28e82624903ccae8b2e248a330e0fb988dfc6f77bbd09689b
                            • Instruction Fuzzy Hash: E7F0C272B00208AFDF009FB0C84DAAE7B74FF45214F140549E04197B51CF765949CFA2
                            Function 6C30E662 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: __wsopen_s
                            • String ID:
                            • API String ID: 3347428461-0
                            • Opcode ID: d1266ebe5bb4c039da08ab037f3de22845a3ad72aedfafb09b7b25841f5d511a
                            • Instruction ID: 8fe7e017f1890a4c7da193ca6a8b6fc8dbd8880ef527269bc33752a2ae0e0755
                            • Opcode Fuzzy Hash: d1266ebe5bb4c039da08ab037f3de22845a3ad72aedfafb09b7b25841f5d511a
                            • Instruction Fuzzy Hash: 19114872A0420AAFCF05CF58E944E9B7BF8EF49308F1444A9F819AB311D671ED15CBA5
                            Function 6C3176EE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                            • Instruction ID: 344d69a4f1b911957fa3e8d789ddb5a3eff2a35e721580de71dc5f6c6ed9b50f
                            • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                            • Instruction Fuzzy Hash: ED014F72C0515DBFCF019FA8CC00AEEBFB5AF09254F144165ED64E2650E7318A25DF91
                            Function 6C317B47 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,00000000,?,6C317805,?,?,00000000,?,6C317805,00000000,0000000C), ref: 6C317B64
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: 837c8188c73a388cac926f93c32b73189d89aca8d0583b4b1bc798d857d164a0
                            • Instruction ID: 414b0b70af1a3c9b491eedb148162e0003ab3f7b0dd7830c1f16a6a7015897cf
                            • Opcode Fuzzy Hash: 837c8188c73a388cac926f93c32b73189d89aca8d0583b4b1bc798d857d164a0
                            • Instruction Fuzzy Hash: E8D06C3210014DBBDF028E84DC06EDA3BAAFB48715F014000BA1856020C736E861AB90
                            Function 6C1C83A0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2365244707.000000006C171000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C170000, based on PE: true
                            • Associated: 00000007.00000002.2365212420.000000006C170000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366454976.000000006C31B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2368073330.000000006C4E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                            • Instruction ID: 28179f390545bb59ac6211e3edb30cb7bc7c8ca1700b6167cdc727b03ba95095
                            • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                            • Instruction Fuzzy Hash:

                            Non-executed Functions

                            Function 6C346092 Relevance: 21.8, APIs: 5, Strings: 6, Instructions: 2537COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C346097
                              • Part of subcall function 6C3491D6: __EH_prolog.LIBCMT ref: 6C3491DB
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $ $*$0UJ$@$@
                            • API String ID: 3519838083-862571645
                            • Opcode ID: e22172b2180ba6d381767f152ec73fcbe70747ea8cb959dd0ada97f8ed321326
                            • Instruction ID: 8a84208a00758acdb5f5ce69b68c9631c32aba0002932112ceba6b00efc356ab
                            • Opcode Fuzzy Hash: e22172b2180ba6d381767f152ec73fcbe70747ea8cb959dd0ada97f8ed321326
                            • Instruction Fuzzy Hash: 20336C30E002589FDF25DFA4C890BEDBBF5AF45308F1080A9D449ABA51DB759E89CF52
                            Function 6C39889F Relevance: 15.6, APIs: 6, Strings: 2, Instructions: 1591COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C3988A4
                            • __aulldiv.LIBCMT ref: 6C398C4A
                            • __aulldiv.LIBCMT ref: 6C398C78
                            • __aulldiv.LIBCMT ref: 6C398D18
                              • Part of subcall function 6C39A36D: __EH_prolog.LIBCMT ref: 6C39A372
                              • Part of subcall function 6C39A40E: __EH_prolog.LIBCMT ref: 6C39A413
                              • Part of subcall function 6C399E78: __EH_prolog.LIBCMT ref: 6C399E7D
                              • Part of subcall function 6C39424A: __EH_prolog.LIBCMT ref: 6C39424F
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog$__aulldiv
                            • String ID: L$b
                            • API String ID: 604474441-3566554212
                            • Opcode ID: d9657c234f8b039fc43015c1601217ec1c14bdfa2872b48e6b05b85763b47a84
                            • Instruction ID: d89c695be57e56ec6466778c5af7f10a7ba1c58cbbdc0a980fbf1739ed666785
                            • Opcode Fuzzy Hash: d9657c234f8b039fc43015c1601217ec1c14bdfa2872b48e6b05b85763b47a84
                            • Instruction Fuzzy Hash: E4E29B30D05299DFDF11DFA4C990ADCBBB4AF19308F14409AD489A7B41EB316E89CF62
                            Function 6C38B4AC Relevance: 8.7, APIs: 1, Strings: 3, Instructions: 1656COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C38B4B1
                              • Part of subcall function 6C38C93B: __EH_prolog.LIBCMT ref: 6C38C940
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: 1$`)K$h)K
                            • API String ID: 3519838083-3935664338
                            • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                            • Instruction ID: 6f39da414bb35d7211e04214fc0c2ae1b014b141226c1a431bd12b22178dff63
                            • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                            • Instruction Fuzzy Hash: 96F28B70D02258DFDF11DFA8C884BDDBBB4AF89308F244199E449AB781DB759A85CF21
                            Function 6C37DEEF Relevance: 8.3, APIs: 1, Strings: 2, Instructions: 3058COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C37DEF4
                              • Part of subcall function 6C381622: __EH_prolog.LIBCMT ref: 6C381627
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $h%K
                            • API String ID: 3519838083-1737110039
                            • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                            • Instruction ID: 278b0adac86fffe3c2277dcfadf3fc3430038df4c77c36c50e44e957d16adeeb
                            • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                            • Instruction Fuzzy Hash: CF538A30901258DFDF25CBA4C984BEDBBB4AF09308F1440D9D499A7791DB35AE89CF62
                            Function 6C38F7F3 Relevance: 6.8, APIs: 1, Strings: 2, Instructions: 1546COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $J
                            • API String ID: 3519838083-1755042146
                            • Opcode ID: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                            • Instruction ID: 679a5072a734d637d4217048d7b1017a8d2d26e1369b21ad939cede050209e37
                            • Opcode Fuzzy Hash: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                            • Instruction Fuzzy Hash: C7E2DD30906289DFEF01CFA8C594BDDBBB4AF09308F248089E855AB791EB75D945CF61
                            Function 6C359CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C359CE5
                              • Part of subcall function 6C32FC2A: __EH_prolog.LIBCMT ref: 6C32FC2F
                              • Part of subcall function 6C3316A6: __EH_prolog.LIBCMT ref: 6C3316AB
                              • Part of subcall function 6C359A0E: __EH_prolog.LIBCMT ref: 6C359A13
                              • Part of subcall function 6C359837: __EH_prolog.LIBCMT ref: 6C35983C
                              • Part of subcall function 6C35D143: __EH_prolog.LIBCMT ref: 6C35D148
                              • Part of subcall function 6C35D143: ctype.LIBCPMT ref: 6C35D16C
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog$ctype
                            • String ID:
                            • API String ID: 1039218491-3916222277
                            • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                            • Instruction ID: 780f4bfe3dbd0d2c86d6b25760f91fea36796784077cb8b2274af8b72936d903
                            • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                            • Instruction Fuzzy Hash: BA03BD30805298DFDF11DFA4C990FECBBB0AF15308F548099D4896BA91DB349B99DF62
                            Function 6C3AF580 Relevance: 5.2, Strings: 4, Instructions: 153COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: 3J$`/J$`1J$p0J
                            • API String ID: 0-2826663437
                            • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                            • Instruction ID: ea198ad4057b56cc08eba8dc62048c68bf3d5b956653def40f39fd7dfd46467a
                            • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                            • Instruction Fuzzy Hash: 8D411772F109200AF3488E7A8C845A67BC3C7C9346B4AC23DD5B5C66D9DA7DC91786A4
                            Function 6C383A52 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1212COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: W
                            • API String ID: 3519838083-655174618
                            • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                            • Instruction ID: e660e2d0cc8f8193caae2b09cf4ca5a1f898f6c0d10f9ad5a129e6225ed13140
                            • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                            • Instruction Fuzzy Hash: A6B28A70A06259DFDF01CFA8C498B9EBBB8AF49308F244099E855EBB41C776D941CF61
                            Function 6C3725EC Relevance: 4.5, APIs: 1, Strings: 1, Instructions: 995COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-3916222277
                            • Opcode ID: 6283ffce90d7722d82f06bf6062908a4dbdb23c6aa848be1631664cf1bbb550b
                            • Instruction ID: 3770b20513d4716f4c44e8cbc36c0ffa978df56929e48e2c408635ff5313b90a
                            • Opcode Fuzzy Hash: 6283ffce90d7722d82f06bf6062908a4dbdb23c6aa848be1631664cf1bbb550b
                            • Instruction Fuzzy Hash: 7B929D30901249DFDF24CFA8C988BDEBBB1AF09308F244099E855AB751CB7A9D45CF65
                            Function 6C384F11 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 511COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-3916222277
                            • Opcode ID: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                            • Instruction ID: 54c054bbc47ff40e0b6ec1362b2654bcb2798fae2339c9af653675fbec16b515
                            • Opcode Fuzzy Hash: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                            • Instruction Fuzzy Hash: 67225870A012099FDB14CFA8C494BADBBF4BF48308F108559E85A9BB92D775E949CF90
                            Function 6C377896 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 333COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C37789B
                              • Part of subcall function 6C378FC9: __EH_prolog.LIBCMT ref: 6C378FCE
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @ K
                            • API String ID: 3519838083-4216449128
                            • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                            • Instruction ID: 24d34ecdb11dcac24fa3bf854cfa1b76d5edca78d1ad4d804ab0743f9ce3889f
                            • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                            • Instruction Fuzzy Hash: E9D1D030E002058FEB26CFA4C490BDDB7B6FB86318F15816AD445ABB84C7799945CF6A
                            Function 6C32BEA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: x=J
                            • API String ID: 3519838083-1497497802
                            • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                            • Instruction ID: 513f233751344f1bc58c07815d14b2393bb89969005256efafb00cdd013c4f82
                            • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                            • Instruction Fuzzy Hash: E691D131D012199BEF14EFA4E8909EDF775BF0530CF208069D4926BA51DB3AD989CF91
                            Function 6C395521 Relevance: 2.6, APIs: 1, Instructions: 1105COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                            • Instruction ID: d59dbb9447ac9ba4222adaf47d3973c03065e4ddc5ae202a4ffab0263219451f
                            • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                            • Instruction Fuzzy Hash: 40B2BC70A05758CFDB21CFA9C490BDEBBF1BF04308F104699D49AA7A91E732A985CF51
                            Function 6C32B972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: @4J$DsL
                            • API String ID: 0-2004129199
                            • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                            • Instruction ID: 1ec4dc51a13fea96b2b36d252c305be5b89dfcb8495303315c658ba98d7bc031
                            • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                            • Instruction Fuzzy Hash: 9F218F377A48564BD74CCA28DC33AB92680E748305B88527EE94BCB3D1DE6D8800CA49
                            Function 6C34840A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C34840F
                              • Part of subcall function 6C349137: __EH_prolog.LIBCMT ref: 6C34913C
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                            • Instruction ID: 1d510941ca0b7e13922f5ecfa19f44812a104a5c702408b6f8e1e4f5adfc2f6b
                            • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                            • Instruction Fuzzy Hash: DA626871901259CFDF15CFA8C890BEDBBF5BF04308F14806AE845ABA80D7759A45CF92
                            Function 6C3A0AD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: YA1
                            • API String ID: 0-613462611
                            • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                            • Instruction ID: 3ee0cc1b6e454358b4e4c741fbb8802797507a0219d903b822e73664ba3cdd06
                            • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                            • Instruction Fuzzy Hash: D842D2706093818FD315CF68C49069ABBE2EFD9308F14496DE4D68B752D672D91BCF82
                            Function 6C3C67C0 Relevance: 1.9, APIs: 1, Instructions: 356COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: __aulldiv
                            • String ID:
                            • API String ID: 3732870572-0
                            • Opcode ID: a13d6ee194fb01fface67b9907b125463793f568477540394d21f6f384e52076
                            • Instruction ID: 638384f44aaefd413f291cda503f7363c52693537f81020f097504fdef9d30c9
                            • Opcode Fuzzy Hash: a13d6ee194fb01fface67b9907b125463793f568477540394d21f6f384e52076
                            • Instruction Fuzzy Hash: 54E17B756083458BC724CF29C880AAEB7F5BFC8314F148A2EE899CB755D731A945CF92
                            Function 6C37AD43 Relevance: 1.8, APIs: 1, Instructions: 346COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                            • Instruction ID: 31886b1cada18ebaaa66fa09e4fb3cdd454d37600a8496f2636bb55fc8734a6a
                            • Opcode Fuzzy Hash: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                            • Instruction Fuzzy Hash: 55F17770901249DFDB24CFA8C590BDDBBB0BF08308F14816DD449ABB51D739AA99CFA5
                            Function 6C3C8D90 Relevance: 1.8, Strings: 1, Instructions: 513COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: @
                            • API String ID: 0-2766056989
                            • Opcode ID: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                            • Instruction ID: 1e56450b9bd6008a704e9b10c704c6dbe25805d2aa84394882c6311be2e3449f
                            • Opcode Fuzzy Hash: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                            • Instruction Fuzzy Hash: F1324AB1A083058FC318CF56C48495AF7E2BFCC314F468A5DE98997355DB74AA09CF86
                            Function 6C3C97C0 Relevance: 1.7, Strings: 1, Instructions: 468COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: @
                            • API String ID: 0-2766056989
                            • Opcode ID: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                            • Instruction ID: 2706543dca4aa6cb9299ed663f2c6074eac1ce7bf5974cb7808b1b3a33b5626b
                            • Opcode Fuzzy Hash: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                            • Instruction Fuzzy Hash: 7C1207B29083158FC358DF4AD44045BF7E2BFC8714F1A8A6EE898A7311D770E9568BC6
                            Function 6C333BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: __aullrem
                            • String ID:
                            • API String ID: 3758378126-0
                            • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                            • Instruction ID: da8f422cb8f2cfa06e21bae786b990bbba9f11a4a08a69b969b52b8146b51562
                            • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                            • Instruction Fuzzy Hash: 6151F871A082959BD711CF5EC4C02EDFBE6EF79214F18C05EE8C897242D27A498BCB61
                            Function 6C3ACE80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-3916222277
                            • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                            • Instruction ID: 94f79dbf0ebc71a4b559067782ea613e361bb14177fdda2e9c420ab1162854fe
                            • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                            • Instruction Fuzzy Hash: EC028B316093808BD724CF69C49079EBBE2EFC9708F144A2DE8D997B91C7759946CF82
                            Function 6C3C9999 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: @
                            • API String ID: 0-2766056989
                            • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                            • Instruction ID: 79dc3459c6d8c291b510306740b638aaf83be00cfd0cb9cf776d37a756cfe030
                            • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                            • Instruction Fuzzy Hash: 18D13E729083148FC758DF4AD44005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                            Function 6C32F7CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: (SL
                            • API String ID: 0-669240678
                            • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                            • Instruction ID: 5e21f5ec3e2d0edb0d45ec576d09f790815539ce0e3d8d3404baefe159a47674
                            • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                            • Instruction Fuzzy Hash: ED519473E208314AD78CCE24DC2177672D2E784310F8BC1B99D8BAB6E6DD78989087D4
                            Function 6C39DB90 Relevance: .9, Instructions: 940COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                            • Instruction ID: b1ffebc92a6d4dd2544254b419a6f1b05c66f469f1bc87e9e641ffd4c7766bde
                            • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                            • Instruction Fuzzy Hash: 5A727CB2A042128FD708CF18C490258FBE1FF89314B5A46ADD95ADB742EB71E895CFC1
                            Function 6C3A3020 Relevance: .8, Instructions: 762COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                            • Instruction ID: 0a4564945bc0cdefba90a444c539e7eb92908cafeec9eabb73f3da54930cf5de
                            • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                            • Instruction Fuzzy Hash: DB524B31208B418BD368CF69C5907AAB7E2FB85308F148A2DD4DAC7B51DB75E85ACF41
                            Function 6C3BD930 Relevance: .7, Instructions: 740COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                            • Instruction ID: 13c520a7af372ef7ddf9428a38516761b544aa8529db9614060d0be78c481281
                            • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                            • Instruction Fuzzy Hash: F16203B1A083458FC714CF19C48051ABBF5BFD8748F248A6EE899A7B18D771E845CF82
                            Function 6C3BB950 Relevance: .7, Instructions: 697COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                            • Instruction ID: cdaab4ed4d4bb50ca4b3c6125cc0b507d60667d7cf19b8c619623d8ae6c301b7
                            • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                            • Instruction Fuzzy Hash: 86428F31604B058BD328DF69C8907AAB3F2FB94318F044A2DE496DBB94EB74E549CF51
                            Function 6C3AA1F0 Relevance: .6, Instructions: 634COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bf70cfe04b665dc64369caa9c5f3f6957600806d567f090f737c69cac13e6594
                            • Instruction ID: 420a06de5eb67b64393981d88ce6f38bb9486ec35b2f3c88cb6de032bc320ffa
                            • Opcode Fuzzy Hash: bf70cfe04b665dc64369caa9c5f3f6957600806d567f090f737c69cac13e6594
                            • Instruction Fuzzy Hash: D532AF72A0424A8BDB08CF58C8902DE7BA2FF89358F15853DEC599B780D771D966CF90
                            Function 6C3A6D50 Relevance: .5, Instructions: 547COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                            • Instruction ID: a0aa38ff9f00f99e6fcb2600d9650bd8e3441c2677c924dcd4f29e116e3a0291
                            • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                            • Instruction Fuzzy Hash: 6712CC712093418BC718CFA8C5D06AABBE2FF89344F54492DE8D68BB45DB31E856CF91
                            Function 6C3B7489 Relevance: .5, Instructions: 519COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                            • Instruction ID: bb11b4744f60e83a8fe35911be1be0403f1bfc404e17f0ce3d0f3449bf77ecfc
                            • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                            • Instruction Fuzzy Hash: 5A021973A083514BD718CE1DCC80219B7F3FBD1390F6A4A2EE89597B85DAB09946CF91
                            Function 6C3B7AA0 Relevance: .5, Instructions: 474COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                            • Instruction ID: 3055341f2a64dd37d7627a1f31acc80f18c6e1921fdc244aedd06eda53d6d90d
                            • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                            • Instruction Fuzzy Hash: EE020932A182118FC319CE28C4D0269BBF2FBD5355F150B2EE496E7E94D7709945CFA2
                            Function 6C3C1600 Relevance: .5, Instructions: 470COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                            • Instruction ID: 93cbcd8b336f53c32249d9c8c806bd0aece5fad8e7d25bf00c24d0c773697741
                            • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                            • Instruction Fuzzy Hash: 4E12D2306087518FC324CF2EC49066AFBF2AF85305F188A6ED5D687AA1D735E948DF52
                            Function 6C3A2A50 Relevance: .5, Instructions: 453COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                            • Instruction ID: 047cfd31ecd024e014559a50f64e793978f27b1d1c2ca804deb4bbdc51dd93fd
                            • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                            • Instruction Fuzzy Hash: B2F163326042898BEB28CF69D8547EEB7E2FBC1304F54453DD889CBB40DB36950ACB91
                            Function 6C3A9D10 Relevance: .4, Instructions: 429COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                            • Instruction ID: 12b74b6791495150d2b9794dca01f6c40a97f50cc40d40f13a2738e7861f2ec2
                            • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                            • Instruction Fuzzy Hash: ABE1F032704B008BD724CF69D4A03ABB7E2EBC4314F544A2DC59787B81DB76A55ACF81
                            Function 6C3C1BC0 Relevance: .4, Instructions: 399COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                            • Instruction ID: ce04b8ada3bae187d509b23a507e649539184f5d94c0d5a867388af890a71281
                            • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                            • Instruction Fuzzy Hash: 69F1C1706087518FC328CF2DC49426AFBE1BF89304F188A6EE1D6C7A91D339E954DB52
                            Function 6C3BF8D0 Relevance: .4, Instructions: 383COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                            • Instruction ID: d8d9640b00ec60195ac7caf848f0bc46dcbd4b21afbf8aaf3e55713f548ac277
                            • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                            • Instruction Fuzzy Hash: 50F1C0785087518BC329CF2DC49026AFBF1BF99308F148A2ED5D68AA91D339E155CF51
                            Function 6C3A9900 Relevance: .3, Instructions: 341COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                            • Instruction ID: 1f5b3b195592f7049528a069e741b80a418b4c560963a285c5b2936fc603314a
                            • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                            • Instruction Fuzzy Hash: A3C1D371604B068BE328DF6DC4906ABB7E2FBC4314F158A2DC19797B45D632B4A6CF81
                            Function 6C3B25C0 Relevance: .3, Instructions: 333COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                            • Instruction ID: c7ba71b3fe74ffdb4106d2fb5f9c7261a8ea8dcbe4c91fcb1113813e2bdb4738
                            • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                            • Instruction Fuzzy Hash: 1AD140715046068FD319CF1CC5A8236BBE1FF86304F054ABCDAA2ABB8AD7369614CF50
                            Function 6C3C7DE0 Relevance: .3, Instructions: 333COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                            • Instruction ID: c4bb253f3094f1a04727a31857055e824afd6e7893fff19d2adece58f17fe262
                            • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                            • Instruction Fuzzy Hash: 07E1F6B18047A64FE398EF5CDCA4A3577A1EBC8300F4B423DDA650B392D734A942DB94
                            Function 6C3B10E0 Relevance: .3, Instructions: 320COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                            • Instruction ID: ebc2cfecf7ceb20d41d2371cdec21412e240ea73a65b7f8b06bae9c0f8d98654
                            • Opcode Fuzzy Hash: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                            • Instruction Fuzzy Hash: DAB180B16166118FC340CF29C8802457BA2FFD526977587ADC4A8AFE5AD336E847CB90
                            Function 6C3A5580 Relevance: .3, Instructions: 316COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                            • Instruction ID: ae06739480fadc2dbb86d7593af1cf5c57f9eab3fbd8e94bf9d4aa7e976703fd
                            • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                            • Instruction Fuzzy Hash: BAC1A535204B418BC719CE79D0A0697BBE2EFD9314F148A6DC4CE4BB55DA31A40ECF55
                            Function 6C3B14D0 Relevance: .3, Instructions: 307COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                            • Instruction ID: d693e05ac294f2c3794ce6571557b575b4a9777d6cca4efbaac8c306d7733243
                            • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                            • Instruction Fuzzy Hash: 98B17C72A012058FC340CF29C884254BBA2FF9536CB79969EC8949FA46D337E847CF90
                            Function 6C3C7870 Relevance: .3, Instructions: 298COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                            • Instruction ID: ca15a8c7b6e160df2dfda5e45835b548f2b5da2e7c01b0b8c98020126aebd451
                            • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                            • Instruction Fuzzy Hash: 61D1F7B1848B9A5FD394EF4DEC81A357762AF88301F4A8239DB600B753D634BB12D794
                            Function 6C3A1810 Relevance: .3, Instructions: 296COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 198e3b67c30e49fc889c46f171b82045d2b176faab8633eba47bfa451d0a0751
                            • Instruction ID: 01210edaadf1772fb1c91512c9d43042ec31f8303b814adf74517666b230b3fd
                            • Opcode Fuzzy Hash: 198e3b67c30e49fc889c46f171b82045d2b176faab8633eba47bfa451d0a0751
                            • Instruction Fuzzy Hash: C3B1D3313047458BD354DEB9C990BDAB7E1EF84308F04452DC5EA8B751EF36A91A8F92
                            Function 6C3A4AA0 Relevance: .3, Instructions: 291COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                            • Instruction ID: bf1c92be90f921bde0198a87a8f5214fc4d65fd5b668c9340d656e08f6f63945
                            • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                            • Instruction Fuzzy Hash: 89B1AE756087028BC304DF69C8906ABF7E2FFC8304F14892DE499C7715EB71A56ACB96
                            Function 6C3AC9F0 Relevance: .3, Instructions: 287COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                            • Instruction ID: a35b988e5fdcceeaefd9e8f88d0cec2df0e77c77dcd77c8d7bd2ed513f6d00d8
                            • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                            • Instruction Fuzzy Hash: FBA1E2726083418FC318DF69D49069ABBE1EBD5348F144A2DE4DA87B41D633E95BCF42
                            Function 6C3A75D0 Relevance: .2, Instructions: 224COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                            • Instruction ID: 6251b154b1d2737ef081adcc1c86256534e667d59eec9ecbe13204e2138d39e1
                            • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                            • Instruction Fuzzy Hash: CA6143B23182158FD308CFA9E5C0A66B3E5EB95321B1685BFD105CB365E772DC52CB18
                            Function 6C3AC6E0 Relevance: .2, Instructions: 223COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                            • Instruction ID: ef0ecdde8ae3060574e4a3b1e1a3769bfa60dac4662dcc53c73a5b453b3cdda8
                            • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                            • Instruction Fuzzy Hash: EC81CF35A047018FC320DF69D080296B7E1FF99708F288AADC5999B711E773E947CB81
                            Function 6C3BA8C8 Relevance: .2, Instructions: 216COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bad25785083197e856f7efe8fa90cb69a131f3ade8fb02bcfdd4a6e94dde6a99
                            • Instruction ID: 934528bedc92ab1c4b4fc2ccdd971c3d71781ed9078cfca40823ae4becdee231
                            • Opcode Fuzzy Hash: bad25785083197e856f7efe8fa90cb69a131f3ade8fb02bcfdd4a6e94dde6a99
                            • Instruction Fuzzy Hash: 63A1CB7190864A8FD729CF18C490AAEB7F2FFD4308F188A2DE8869B741D735A655CF41
                            Function 6C3BB520 Relevance: .2, Instructions: 216COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                            • Instruction ID: 3cb051a9b939f5f2f51a6ed941d5065101dec5c3a254125b97dea31ef84f046d
                            • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                            • Instruction Fuzzy Hash: 96917D7281871A8BD314CF18C88025AB7E0FB98308F09067DED9AAB341D739EA55CBD5
                            Function 6C343B66 Relevance: .2, Instructions: 167COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                            • Instruction ID: 3860010ea998944837be4701ae724beea9cac5437715af313ea80cb1e94b26f4
                            • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                            • Instruction Fuzzy Hash: 6151AE76F006099BDB88CE98DD916EDBBF2EB89308F248169D012E7781D7759A41CF90
                            Function 6C39E650 Relevance: .2, Instructions: 154COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a5df0ff16b053d8fcfcdee403e066c8bbf8aa7f46747348a699df34f7397b1a9
                            • Instruction ID: 7f666417ddf58762b970f94a3996642d103b8acadd81ba189c8d3df06c1b268c
                            • Opcode Fuzzy Hash: a5df0ff16b053d8fcfcdee403e066c8bbf8aa7f46747348a699df34f7397b1a9
                            • Instruction Fuzzy Hash: 1C515B74A083468BD710DF1EC88061AB7E1FF98708F244A6DE99487712E772E906CFD2
                            Function 6C345EC9 Relevance: .1, Instructions: 136COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                            • Instruction ID: 1b5f7ced9cd86406aeff1fa0cbe99b8aec9942cc4713fb8b90a3d090850df005
                            • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                            • Instruction Fuzzy Hash: B9311427BA440143C70CCD3BCC12B9FA1975BD422A75ECF396D05CEF55D52DC8164645
                            Function 6C3B2050 Relevance: .1, Instructions: 123COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9e60619b53f5733759f851c7e89353584e6ca2cea002716f3001e8b4c6fadb46
                            • Instruction ID: 13feb0cc42bde8af6940205a0f6f1e7946adf2827d439026b00f37b6c358da5d
                            • Opcode Fuzzy Hash: 9e60619b53f5733759f851c7e89353584e6ca2cea002716f3001e8b4c6fadb46
                            • Instruction Fuzzy Hash: 22310F73901A050BF201851ACF4C3967223DBE2379F1A8724DA6E67EECDA73944689C1
                            Function 6C3B1EF0 Relevance: .1, Instructions: 123COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                            • Instruction ID: 0314a697db55141a8eee7c84390a1ea2a45b9262d778ef8dbe1e3d225ef97399
                            • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                            • Instruction Fuzzy Hash: B2313B73504A050AF2008569CA487977223EBE637CF29C765D966A7EECCB73D506DA40
                            Function 6C3B9820 Relevance: .1, Instructions: 112COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                            • Instruction ID: e56b94209bca1dea34c2e87b784a33536630b361909a4ff8feadc209066b1b97
                            • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                            • Instruction Fuzzy Hash: 1E41D0729047068FD700CF19C89066AB3E4FF99318F440A2DE99AA7781E331EA15CF81
                            Function 6C3C76C0 Relevance: .1, Instructions: 88COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                            • Instruction ID: 3bb1e0f9b7eddfa0e249fb587c7fca38979b0651d7497e3a2fce5e0ca29c5739
                            • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                            • Instruction Fuzzy Hash: 53214B71B047AB07E7209E6DCCC437977929BC2305F094279D9708F647D17A88A2D660
                            Function 6C3CC700 Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                            • Instruction ID: da4d9ab75b6577d478289322136beb0d89456c306b41be659d9f5f4cc36aa53e
                            • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                            • Instruction Fuzzy Hash: 96219077320A064BE74C8A38D83737532D0A705318F98A22DEA6BCE2C2D73AC457C785
                            Function 6C3B0380 Relevance: .1, Instructions: 64COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 64767f10f9c171ab935b0bf025eacf772035bcd2eb799dcdd82e02b09b12ee02
                            • Instruction ID: 3ccfea36d4278695d74dab90a09612b76d5d559c17bf9881cb815e6b350a4a80
                            • Opcode Fuzzy Hash: 64767f10f9c171ab935b0bf025eacf772035bcd2eb799dcdd82e02b09b12ee02
                            • Instruction Fuzzy Hash: 67218E327193428FC308DE58D88096ABBE6EFC9210F15856DE9849B351C635E906CB91
                            Function 6C3B0280 Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 48f6a5bdde1c9cea4668397cf668c04db0f725afa69fc77866d080b4e5372864
                            • Instruction ID: 98c22bf86b9295e17a6cbed6c9aedeb2b2bcd9bb70680d1b521178664ba5320d
                            • Opcode Fuzzy Hash: 48f6a5bdde1c9cea4668397cf668c04db0f725afa69fc77866d080b4e5372864
                            • Instruction Fuzzy Hash: CD118E726283864BC308CE1DDC90966BBE5FBD9200F24497DE985DB341C626D906DB95
                            Function 6C3C2640 Relevance: .0, Instructions: 48COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 94bd1a651729923c4c8d3d4bf4c81e233e4e8cf0a286e62590c7b03c1869421d
                            • Instruction ID: 8ef161133a0f4bd1b1c5302bee188bf9691928d704c859002cc79c97d3414ab7
                            • Opcode Fuzzy Hash: 94bd1a651729923c4c8d3d4bf4c81e233e4e8cf0a286e62590c7b03c1869421d
                            • Instruction Fuzzy Hash: C2015E6529628989D781DA79C490348FE80F752202F9CC3F4E0C8CBF42D98AC44AC7A2
                            Function 6C3B97A0 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                            • Instruction ID: 59bf5d01cdd95de8c8ab851fe46e62793e6d43d06130d1b4bb8367991225acc7
                            • Opcode Fuzzy Hash: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                            • Instruction Fuzzy Hash: 3301817291462E57D7189F48CC41136B390FB95312F49823ADD479B385E735F970C6D4
                            Function 6C3CA720 Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                            • Instruction ID: 57a0ace18695956426ac659dfc2981a4b3376aa2d8206d207bc466df2edcfb44
                            • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                            • Instruction Fuzzy Hash: 64C08CA722910017C302EA2599C0BAEF6B37360330F228C2EA0A2E7E43C329C0748512
                            Function 6C361B50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                            • API String ID: 3519838083-609671
                            • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                            • Instruction ID: 1debf55bf67d68bf20bfe0f62debff5b371230d2fe439bf1caff2929ef5c19ba
                            • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                            • Instruction Fuzzy Hash: 7BD1A071A0420A9FCF01CFA6D980AEEB7B9FF05308F204519E095A7E54DB71E909CF61
                            Function 6C38ABB3 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 406COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: L$L'K$T'K$\'K$d'K$p'K$)K
                            • API String ID: 3519838083-3887797823
                            • Opcode ID: 47b27f50cc51f1a94238cd0256452db9f2d92a2e889979d702001e9d19a1f323
                            • Instruction ID: b61925f384b72ba52bf8ad599742133b668e47bf3ab8744fb72045b556a382c0
                            • Opcode Fuzzy Hash: 47b27f50cc51f1a94238cd0256452db9f2d92a2e889979d702001e9d19a1f323
                            • Instruction Fuzzy Hash: 2502E670902249DFDF21DF54C890ADDFBB5BF05308F5481AED099A7A90D731AA89CF62
                            Function 6C378B6F Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 151COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C378B74
                              • Part of subcall function 6C378AC2: __EH_prolog.LIBCMT ref: 6C378AC7
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: DJ$H K$L K$P K$T K$X K$\ K
                            • API String ID: 3519838083-3148776506
                            • Opcode ID: 1e695b17fc03ab30503818bc101f4fbde075140751d540bd7eda0f269636307e
                            • Instruction ID: ea1f1c731c452dc1ae125c11ccd02e5d0e12856ecf98922c16ed853a3c7255a2
                            • Opcode Fuzzy Hash: 1e695b17fc03ab30503818bc101f4fbde075140751d540bd7eda0f269636307e
                            • Instruction Fuzzy Hash: 655193309001469BCF24EA64C580AEEB376AF5131CB10C51BDDA57BA80DB7E990ACF77
                            Function 6C376CB2 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 347COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $ $$ K$, K$.$o
                            • API String ID: 3519838083-1786814033
                            • Opcode ID: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                            • Instruction ID: 8f528a539a6e4d851c47694dc7c08b064e901f7f1fabdb9ab57cfef5f1ad8252
                            • Opcode Fuzzy Hash: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                            • Instruction Fuzzy Hash: 49D1E6319042598FCF22CFA8C9A47DEBBB1FF0A308F244669C495ABA41C77A5904CF75
                            Function 6C349798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: __aulldiv$H_prolog
                            • String ID: >WJ$x$x
                            • API String ID: 2300968129-3162267903
                            • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                            • Instruction ID: c970cb3c734ab29f14b9cea3e2ffa879d67eb3256b65474542448dc4fff66b3b
                            • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                            • Instruction Fuzzy Hash: 0F127771900219EFDF10DFA8C980AEDBBF9FF48318F208169E959AB650CB369944CF51
                            Function 6C337FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: __aulldiv$__aullrem
                            • String ID:
                            • API String ID: 2022606265-0
                            • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                            • Instruction ID: 6aa7143cc2dce0aa0beb636c94f7306d510ceab9368cc905d7457065b95ada17
                            • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                            • Instruction Fuzzy Hash: 28219170A41269FEDF108E94CC80DDF7A69EB417A8F208227B568A1690D2768D50DEA3
                            Function 6C33D6EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C33D6F1
                              • Part of subcall function 6C34C173: __EH_prolog.LIBCMT ref: 6C34C178
                            • __EH_prolog.LIBCMT ref: 6C33D8F9
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: IJ$WIJ$J
                            • API String ID: 3519838083-740443243
                            • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                            • Instruction ID: a7ef15384e6ccad2471520eb91418f9b4e3616210f5aed5c85bf7f3c55983b0a
                            • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                            • Instruction Fuzzy Hash: B0719E309102A4DFDB14DFA4C444BDDB7B4BF14308F1080A9D8996BB91CB75AA09CF92
                            Function 6C38684E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C386853
                              • Part of subcall function 6C3865DF: __EH_prolog.LIBCMT ref: 6C3865E4
                              • Part of subcall function 6C386943: __EH_prolog.LIBCMT ref: 6C386948
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: ((K$<(K$L(K$\(K
                            • API String ID: 3519838083-3238140439
                            • Opcode ID: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                            • Instruction ID: c9642e3d4c6ec8e89c3b141f7d877d1f882fa0a938f0e6df6de1328192627bdc
                            • Opcode Fuzzy Hash: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                            • Instruction Fuzzy Hash: 88212AB0901B40DEC724DF6AC55469AFBF4AF50308F108A5F80A687B50DBB46A088F66
                            Function 6C351418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C35141D
                              • Part of subcall function 6C351E40: __EH_prolog.LIBCMT ref: 6C351E45
                              • Part of subcall function 6C3518EB: __EH_prolog.LIBCMT ref: 6C3518F0
                              • Part of subcall function 6C351593: __EH_prolog.LIBCMT ref: 6C351598
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: &qB$0aJ$A0$XqB
                            • API String ID: 3519838083-1326096578
                            • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                            • Instruction ID: 2bdd64b98f4186b1670a918a5ddda51cdb9f6cd7e0233ca3d7fb633dd7cf0565
                            • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                            • Instruction Fuzzy Hash: 6921A771E01358AACF04DFE4D9819ECBBB4AF25308F20002AD49227780DB788E0CCF62
                            Function 6C351234 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: J$0J$DJ$`J
                            • API String ID: 3519838083-2453737217
                            • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                            • Instruction ID: 7bd1fc1050ac1bf5546dbe5c6b036471a9ff82ef5209f5a308ab2904a6be7383
                            • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                            • Instruction Fuzzy Hash: 8911B0B0900B64CEC720CF5AC45459AFBE4AFA5708B10C91FC4A687B50C7F8A509CF9A
                            Function 6C379E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $!$@
                            • API String ID: 3519838083-2517134481
                            • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                            • Instruction ID: 791d6f99bb82da7aee9f1b11f626d5f1ef09cf18c2fd2c4617c83e94756aacab
                            • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                            • Instruction Fuzzy Hash: 27129930A06249DFDB24CFA4C480ADDBBB1BF08308F149569E485ABB51DB39E945CF65
                            Function 6C345B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog__aulldiv
                            • String ID: $SJ
                            • API String ID: 4125985754-3948962906
                            • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                            • Instruction ID: 58237489f2db049d7e7f929a3d1bea6dee8dc5b0fedc7d312938d62f7df3a1ce
                            • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                            • Instruction Fuzzy Hash: BFB13AB1E012099FCB14CF99C8809EEBBF5FF48318B60852ED456A7B50D731AA85CF91
                            Function 6C3491D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $CK$CK
                            • API String ID: 3519838083-2957773085
                            • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                            • Instruction ID: 56138ea582f79980455a8563823b68a14d26f197639133893729a8ee0f5424fc
                            • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                            • Instruction Fuzzy Hash: 84219271E41309CBCB04DFA8C5801EEB7FAFB95318F14862AC452A7B91C7755A06CEA1
                            Function 6C360584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: 0$LrJ$x
                            • API String ID: 3519838083-658305261
                            • Opcode ID: 95611479d40a215ec944db407e0a8f4bd880271165c87792ba86edb23d6a866c
                            • Instruction ID: 3e0adedcf248490bb32ad9a995acde50c1a76dde01261fa2bf598f03be99ded0
                            • Opcode Fuzzy Hash: 95611479d40a215ec944db407e0a8f4bd880271165c87792ba86edb23d6a866c
                            • Instruction Fuzzy Hash: FD218E32D011199BDF04EBD8D991AEDB7B5EF58308F20005AD45177B40DB7A9E08CFA6
                            Function 6C357EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C357ECC
                              • Part of subcall function 6C34258A: __EH_prolog.LIBCMT ref: 6C34258F
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: :hJ$dJ$xJ
                            • API String ID: 3519838083-2437443688
                            • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                            • Instruction ID: 748ca82d5c18e883cfb00a2729ddcb4d89a8402233bbf533e8fa8cbf6c1f6211
                            • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                            • Instruction Fuzzy Hash: 4921A8B0901B40CFC760CF6AC14429ABBF4BF29718B50C95EC0EA97B11D7B8A609CF55
                            Function 6C3761B5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C3761BA
                              • Part of subcall function 6C376269: __EH_prolog.LIBCMT ref: 6C37626E
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: J$0J$DJ
                            • API String ID: 3519838083-3152824450
                            • Opcode ID: ae61c101c46c5c8fb0edf6ab07ecac335665618d15e9b15e4cd2ad5cdca4aa88
                            • Instruction ID: 4b564856c24931815e700aeaf0eb83f788576d174a8ccca0566396fc06fb7b7a
                            • Opcode Fuzzy Hash: ae61c101c46c5c8fb0edf6ab07ecac335665618d15e9b15e4cd2ad5cdca4aa88
                            • Instruction Fuzzy Hash: 7011C3B1901754CFC720CF5AC4986D6FBF0BB25304F54C8AED0AA87711D7B8A908CB65
                            Function 6C34ED0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: <J$DJ$HJ$TJ$]
                            • API String ID: 0-686860805
                            • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                            • Instruction ID: 583effc40e55e7d62dd8b6fd114b02f73366e60c84b62cb5b3cd5d1a32367311
                            • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                            • Instruction Fuzzy Hash: A341A731C05399AFCF14DFA0D490CEEF7B4AF11208B60C569D1A167950EB3AA68DCF92
                            Function 6C39C300 Relevance: 6.3, Strings: 5, Instructions: 49COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: ,3K$,3K@3KP3K$@3K$P3K$p3K
                            • API String ID: 0-3393562052
                            • Opcode ID: 56e76445033a99da05fe192590a15bb20ec13d4a39ad9bab330bef12182d4e5a
                            • Instruction ID: 9a01f52449a782d8f1f6e997f7a7364384eb459279da440508f1174862e8791e
                            • Opcode Fuzzy Hash: 56e76445033a99da05fe192590a15bb20ec13d4a39ad9bab330bef12182d4e5a
                            • Instruction Fuzzy Hash: 3A21F7B1540B419FC320CF16C48578BFBE4FB15754F50DA2ED5AA57A40C7B8A508CB99
                            Function 6C331072 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 398COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C331077
                              • Part of subcall function 6C330FF5: __EH_prolog.LIBCMT ref: 6C330FFA
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: :$\
                            • API String ID: 3519838083-1166558509
                            • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                            • Instruction ID: f20b452811948720b2e6061714de62294cf7ae8b55323316ce32a6b395efdad3
                            • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                            • Instruction Fuzzy Hash: 09E106309003A59BDF11DFA4C890BDDB7B1BF0531CF106219D49A6BAA0DB76E549CF62
                            Function 6C386BED Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 373COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: x'K$|'K
                            • API String ID: 3519838083-1041342148
                            • Opcode ID: a25bbfd597e839604be9dc74c608115d2298b3d137bba62e84176c22df84cc64
                            • Instruction ID: ebe7649ae1b337cf4216b28fa7089a269b75b2fc964024442ba5f4c12bf2d8ad
                            • Opcode Fuzzy Hash: a25bbfd597e839604be9dc74c608115d2298b3d137bba62e84176c22df84cc64
                            • Instruction Fuzzy Hash: A8D139709167469ADF20DB64D850AEEBB76FF0330CF20451DE0A693D90DB26A54ECF62
                            Function 6C356C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$hfJ
                            • API String ID: 3519838083-1391159562
                            • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                            • Instruction ID: a55d8e9549830ab73af1c4a11b4ddc70c49db6c556b928db5f2d55d8d0414128
                            • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                            • Instruction Fuzzy Hash: 54911570910258DFCB10DFA9C994DDEBBF4BF18308F94451EE49AA7A90D771AA48CF21
                            Function 6C34BC58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C34BC5D
                              • Part of subcall function 6C34A61A: __EH_prolog.LIBCMT ref: 6C34A61F
                              • Part of subcall function 6C34AA2E: __EH_prolog.LIBCMT ref: 6C34AA33
                              • Part of subcall function 6C34BEA5: __EH_prolog.LIBCMT ref: 6C34BEAA
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: WZJ
                            • API String ID: 3519838083-1089469559
                            • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                            • Instruction ID: d970bb65882ee0742fa9b46a235cfc5587d93eb833594878ca9b610fd2373a35
                            • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                            • Instruction Fuzzy Hash: 90817C31D00658DFCF15DFA4D980ADDBBB4AF09308F1080A9E58267790DB34AE49CFA2
                            Function 6C3795B2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: CK$CK
                            • API String ID: 3519838083-2096518401
                            • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                            • Instruction ID: e29c8620c3f2c9124956c62ab6cd9ad3e12df22c572a7f91d2bf14a0320962ba
                            • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                            • Instruction Fuzzy Hash: 0951AD75A003059FDB14CFA4C8C0BEEB3B9FB88358F148629D901ABB41D779A9058F75
                            Function 6C352F9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: <dJ$Q
                            • API String ID: 3519838083-2252229148
                            • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                            • Instruction ID: 2a3cf71accb9f142380164605f50b90c4693dda5ad1cb5fbf766de499b7859bb
                            • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                            • Instruction Fuzzy Hash: FD518B70904259EBCF01DFA8D880CEDB7B1BF48308F50852EE556AB650D7369A9ACF51
                            Function 6C34E9B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $D^J
                            • API String ID: 3519838083-3977321784
                            • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                            • Instruction ID: e846737ec8f878671675650bf0325facfc8a6e76ecb4f1ff763a2ecd6c69c15e
                            • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                            • Instruction Fuzzy Hash: 45412A20A087A06EEB26DF6884507E9FBE56F1724CF14C198C4D347EC1DB66598ACFD2
                            Function 6C360B66 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: 8)L$8)L
                            • API String ID: 3519838083-2235878380
                            • Opcode ID: 1ee38908214ddba89c01b11f8f662c4b80f228d5f64c7dd9e77453d2deb43dcf
                            • Instruction ID: 1b19051babed449bc85253233d13583641dcfd82feea9f93c26756cd9a52162e
                            • Opcode Fuzzy Hash: 1ee38908214ddba89c01b11f8f662c4b80f228d5f64c7dd9e77453d2deb43dcf
                            • Instruction Fuzzy Hash: B751BE31201640CFDB149F65D991ADABBF1FF85308F50496ED19A8BA60CB35B848CF59
                            Function 6C35E606 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: qJ$#
                            • API String ID: 3519838083-4209149730
                            • Opcode ID: e1f34668789bc69a62d5b524bab96a8de5a2ccca07942ae6dd88fce0d8712790
                            • Instruction ID: 0f92083ca530a331e9b97c89f0ff7960f4211115b30d3e366c0229c6c5bfa770
                            • Opcode Fuzzy Hash: e1f34668789bc69a62d5b524bab96a8de5a2ccca07942ae6dd88fce0d8712790
                            • Instruction Fuzzy Hash: 46516975900249DFCF00CFA8C580DDEBBB5AF09318F148159E851AB791D739EA29CFA1
                            Function 6C35314A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: PdJ$Q
                            • API String ID: 3519838083-3674001488
                            • Opcode ID: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                            • Instruction ID: 181a8e8b9f01e8432b216c1f03cc2ee987b9b03ae31ec788657704a25af570c0
                            • Opcode Fuzzy Hash: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                            • Instruction Fuzzy Hash: A041CD71D00609DBDB50EFA9C4908EDF7B4FF49318B50C12AE964ABA40C7329A15CFE1
                            Function 6C36812C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: X&L$p|J
                            • API String ID: 3519838083-2944591232
                            • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                            • Instruction ID: 77a7c9a8dc7ab615f472b6f1806e385882d07796f826a7c6cba89112d7f29d69
                            • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                            • Instruction Fuzzy Hash: D6315A31685504CBDB009B5EDD01BE97B74EB0B31CF200127D690A2EAACB62C985CF93
                            Function 6C367C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: 0|J$`)L
                            • API String ID: 3519838083-117937767
                            • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                            • Instruction ID: 15936d422d6ecef0fcb8045bcafa3ae39b0e2ef3029fcf4dbadc7f677c40b6e9
                            • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                            • Instruction Fuzzy Hash: 25419131601785DFDF119F61D4906EABBE2FF46308F40482EE09A97B14CB35A908CF92
                            Function 6C36ACB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: __aulldiv
                            • String ID: 3333
                            • API String ID: 3732870572-2924271548
                            • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                            • Instruction ID: 6a150eb9b23a9b53de6a0a84dfff8133a07c41bd75f34cc55a40fb1623bc05c4
                            • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                            • Instruction Fuzzy Hash: C92195B0A407146ED720CFAA8890B9FFAFDEB84755F10891EA186D7B40D771ED048F66
                            Function 6C35E77E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: #$4qJ
                            • API String ID: 3519838083-3965466581
                            • Opcode ID: 84a8eb9074b6f9089a1fd02d6bcb4d7259a4313f9f2765f71615d484bdca8079
                            • Instruction ID: de5baa5d492772f11e1d051c3d9e49927b2e0d21e172dae8225f1fd845f7ea0f
                            • Opcode Fuzzy Hash: 84a8eb9074b6f9089a1fd02d6bcb4d7259a4313f9f2765f71615d484bdca8079
                            • Instruction Fuzzy Hash: B831CC35A04318DFEF10CF55C840EAE73B8AF48718F444158E86167B50C739AD25CFA1
                            Function 6C363906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$LuJ
                            • API String ID: 3519838083-205571748
                            • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                            • Instruction ID: 63c96afeb649dcce534c54049b82a8786159e8d09fc92c3b1aa319af2bc7e9eb
                            • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                            • Instruction Fuzzy Hash: A8016171E41345DADB10DF9A84806AEF7B4EF5A708F40842EE56AE3A41C3349904CFA5
                            Function 6C33F0AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$xMJ
                            • API String ID: 3519838083-951924499
                            • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                            • Instruction ID: 6a0042ce4b0b6f46bbc257b97fea58bb330d9169c5d7b86052fc80864524cf21
                            • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                            • Instruction Fuzzy Hash: 0B117C71E00349DBCB00DFA9D49059EB7B4FF18308B90D46ED469E7600D3399A05CF95
                            Function 6C362741 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C362746
                              • Part of subcall function 6C3627BF: __EH_prolog.LIBCMT ref: 6C3627C4
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: ur6l$sJ
                            • API String ID: 3519838083-238950280
                            • Opcode ID: 479f86800d12ad63e1b8ae242903cd26d6f9166e8cc8054c33d6365a60c3e9bf
                            • Instruction ID: d17efb19f519c837085026efec70201d47ad4bbcfa4c027c784f6f0e7714d433
                            • Opcode Fuzzy Hash: 479f86800d12ad63e1b8ae242903cd26d6f9166e8cc8054c33d6365a60c3e9bf
                            • Instruction Fuzzy Hash: BF01A231A00114ABCF11ABA5D944EEDBB75AF84718F01401AE98152A90CF799949DFD2
                            Function 6C38F5D5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: p/K$J
                            • API String ID: 3519838083-2069324279
                            • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                            • Instruction ID: 459018c3ed90bf807270521c6721d5b9b823e3a23f382f88a3fbe94d90e89211
                            • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                            • Instruction Fuzzy Hash: AF019EB1A017019FD724CF58D5043AAB7F4EB54719F10C91E909293A40D7F8A5088BA6
                            Function 6C370180 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C370185
                              • Part of subcall function 6C37022B: __EH_prolog.LIBCMT ref: 6C370230
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: J$0J
                            • API String ID: 3519838083-2882003284
                            • Opcode ID: 5025c659522292fd6d13656942a962c3f91794ff08eea141c4429de393d252e1
                            • Instruction ID: 1a989857331b302eab73fb4de2b7bf0f361cd14111a6a051f47cae7184d3de7f
                            • Opcode Fuzzy Hash: 5025c659522292fd6d13656942a962c3f91794ff08eea141c4429de393d252e1
                            • Instruction Fuzzy Hash: D21193B0911B108BC3248F16C4541D6FBF4FFA5714B40C91FC4AA87620C7B8A5488F99
                            Function 6C36DFC7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C36DFCC
                              • Part of subcall function 6C36D4D1: __EH_prolog.LIBCMT ref: 6C36D4D6
                              • Part of subcall function 6C36C14B: __EH_prolog.LIBCMT ref: 6C36C150
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: J$0J
                            • API String ID: 3519838083-2882003284
                            • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                            • Instruction ID: 3c8ed210aa2ae37716994330e820f27ee0ab718d893766f806b3f79eb8fa48da
                            • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                            • Instruction Fuzzy Hash: 9201F3B1800B50CEC325CF56C5A42CAFBE0BB15308F90C95EC0E657B50D7B8A508CF69
                            Function 6C38E434 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C38E439
                              • Part of subcall function 6C38E4BA: __EH_prolog.LIBCMT ref: 6C38E4BF
                              • Part of subcall function 6C37022B: __EH_prolog.LIBCMT ref: 6C370230
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: D.K$T.K
                            • API String ID: 3519838083-2437000251
                            • Opcode ID: 4bf8c15ffd7a86929b4665866baf81e9eeb815ebced635067bbf52e837154634
                            • Instruction ID: 7ece387842b408e43e00304425a93d944d8871e644684e28abbf04e28a1542b6
                            • Opcode Fuzzy Hash: 4bf8c15ffd7a86929b4665866baf81e9eeb815ebced635067bbf52e837154634
                            • Instruction Fuzzy Hash: FF011AB1911751CFC724CF69C5142CABBF0AF19704F00891EC0EA97B40E7B8AA08CFA6
                            Function 6C360425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: 8)L$8rJ
                            • API String ID: 3519838083-896068166
                            • Opcode ID: 31b7b83379da487e0b0fee470bf6f7791c36dd68afdddb73284a070326b97c38
                            • Instruction ID: 736258d33e77d50d943893f73ef45a195afb198f01b3755c7a32eb43d8b0fa70
                            • Opcode Fuzzy Hash: 31b7b83379da487e0b0fee470bf6f7791c36dd68afdddb73284a070326b97c38
                            • Instruction Fuzzy Hash: 47F03A76A04114EFC701CF98C949ADEBBF8FF46355F14806AF405A7211C7B99A04CBA5
                            Function 6C366431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prologctype
                            • String ID: |zJ
                            • API String ID: 3037903784-3782439380
                            • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                            • Instruction ID: 71349c25c20aea5289c077166e59ded817732b0f354ae155e09bbb55c5306ffe
                            • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                            • Instruction Fuzzy Hash: E2E065326056209BEB159F4AD8017DDF3B8FF54759F11401FD052E7E49CBB1A8148E96
                            Function 6C36A4CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prologctype
                            • String ID: \~J
                            • API String ID: 3037903784-3176329776
                            • Opcode ID: 46757733936a42b96b936dd1dab949ec9d96d52f22713a54e894f9e80fe70f1d
                            • Instruction ID: 04e0b26f3facc3c1b67b672543cb1466ee2ab480cf331e6e734fe5cfa3ad8b65
                            • Opcode Fuzzy Hash: 46757733936a42b96b936dd1dab949ec9d96d52f22713a54e894f9e80fe70f1d
                            • Instruction Fuzzy Hash: F3E06532A05621DBDB259F49D814BDDF7A4FF44718F11415ED01167F55CBB1A8008E91
                            Function 6C36C0DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C36C0E0
                              • Part of subcall function 6C36C14B: __EH_prolog.LIBCMT ref: 6C36C150
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: J$0J
                            • API String ID: 3519838083-2882003284
                            • Opcode ID: 235f570c22735095cf226f139ec23b8166c83fec4b7bd0089cfa702e7a6a385e
                            • Instruction ID: 06bdff0d7d0538f8cae5bada58b6a9f28dc9a3b21aaf0583bef46f11f42eefb9
                            • Opcode Fuzzy Hash: 235f570c22735095cf226f139ec23b8166c83fec4b7bd0089cfa702e7a6a385e
                            • Instruction Fuzzy Hash: E2F0B2B0901B51CFC724DF59D81428ABBF0FB15708B50C91F80AA97B10D7B8A548CFA9
                            Function 6C35D143 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prologctype
                            • String ID: <oJ
                            • API String ID: 3037903784-2791053824
                            • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                            • Instruction ID: f28acc89596460efdc609f44fa6590dcd9ab0ead21ae1e16c2893d4fc9b360cd
                            • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                            • Instruction Fuzzy Hash: F2E0ED32A022109BEB049F48D810BDEF7A8EF41718F12001EE021A3B51CBB6E910CEC2
                            Function 6C3924AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: @ K$DJ$T)K$X/K
                            • API String ID: 0-3815299647
                            • Opcode ID: dac98d89fb1dd2bd8a0dcac61504098bca9fe61148d739192528eb0bc1c541c2
                            • Instruction ID: 9b6fc1b9685491640b4f7878f1b1b2dbf6dcd3f057b0ed07de4f4c854cf9e95e
                            • Opcode Fuzzy Hash: dac98d89fb1dd2bd8a0dcac61504098bca9fe61148d739192528eb0bc1c541c2
                            • Instruction Fuzzy Hash: 5491F334604B059BDF04DE64D6547EEB3A6AF4130CF104419C8A66BB82EB7BE94DCF62
                            Function 6C387E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: D)K$H)K$P)K$T)K
                            • API String ID: 0-2262112463
                            • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                            • Instruction ID: 68a955da2b5f5fd3d63327737dd0f8ed8ad1f72af2ffa203c01f1c5d963cc7e0
                            • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                            • Instruction Fuzzy Hash: 4551C531A053099BDF10DF95E840ADEB776EF1631CF10441AF89567A80DB7AE948CFA2
                            Function 6C3A7F20 Relevance: 5.0, Strings: 4, Instructions: 27COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: (?K$8?K$H?K$CK
                            • API String ID: 0-3450752836
                            • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                            • Instruction ID: 718fc4895c54f6e9dfaa8f59142815770a1d2bc87cee48019c821fb767d1d191
                            • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                            • Instruction Fuzzy Hash: F0F03AB06017009FC320CF46D54869BFBF4EB4570AF50C91EE09A9BA40D3BCA6088FA9
                            Function 6C390AAC Relevance: 5.0, Strings: 4, Instructions: 23COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2366548192.000000006C32B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C32B000, based on PE: true
                            • Associated: 00000007.00000002.2367177195.000000006C3F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2367248604.000000006C3FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c170000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: 00K$@0K$P0K$`0K
                            • API String ID: 0-1070766156
                            • Opcode ID: 7efb1c77604c1d1a2dcd35be8e9d5171401199da8c632a149feb581716eb9edd
                            • Instruction ID: cc08c49e7cab151d94aeeb036fe5aa8110f11b29cf5188a6292b857041db77c5
                            • Opcode Fuzzy Hash: 7efb1c77604c1d1a2dcd35be8e9d5171401199da8c632a149feb581716eb9edd
                            • Instruction Fuzzy Hash: 2DF03FB14152408FD348DF1A9598A82BFE0AF95319B56C1DED0184F276C3B9CA48CFA8