Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe

Overview

General Information

Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe
renamed because original name is a hash value
Original sample name:_1.1.3.exe
Analysis ID:1580552
MD5:b4a5718734eb335d7863f26f88508eae
SHA1:8ddc695505f8bbd6120021e237881f2b43e4cad4
SHA256:4fad9b626aab59dd99326ab62f605a7e53f23ca62f7604b491cdf3541e257a36
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Sigma detected: Use Short Name Path in Command Line
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe (PID: 712 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe" MD5: B4A5718734EB335D7863F26F88508EAE)
    • #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp (PID: 6672 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp" /SL5="$203EE,8661598,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe" MD5: 200D5FBEB088D930F68C926A324CF1A1)
      • powershell.exe (PID: 6528 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 1072 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe (PID: 3820 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe" /VERYSILENT MD5: B4A5718734EB335D7863F26F88508EAE)
        • #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp (PID: 7132 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp" /SL5="$10412,8661598,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe" /VERYSILENT MD5: 200D5FBEB088D930F68C926A324CF1A1)
          • 7zr.exe (PID: 2796 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 1540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 5440 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5792 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3308 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 6748 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 2648 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 3712 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 1424 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cmd.exe (PID: 5472 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5108 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 3284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 5260 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cmd.exe (PID: 6316 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6504 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7224 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7244 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7324 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7344 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7408 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7424 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7476 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7492 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7544 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7560 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7612 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7628 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7672 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7688 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7748 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7760 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7808 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7824 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7900 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7916 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7972 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7988 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8044 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8056 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 8104 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cmd.exe (PID: 8128 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8152 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3232 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1240 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6752 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7208 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7272 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7284 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 812 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4548 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4052 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7376 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7352 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7456 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7432 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7492 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7520 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7560 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7588 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7656 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7684 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7744 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp" /SL5="$203EE,8661598,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, ParentProcessId: 6672, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6528, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5792, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 3308, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp" /SL5="$203EE,8661598,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, ParentProcessId: 6672, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6528, ProcessName: powershell.exe
Sigma detected: Use Short Name Path in Command Line
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp" /SL5="$203EE,8661598,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp" /SL5="$203EE,8661598,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, NewProcessName: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, OriginalFileName: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, ParentCommandLine: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe", ParentImage: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe, ParentProcessId: 712, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp" /SL5="$203EE,8661598,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe" , ProcessId: 6672, ProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5792, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 3308, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp" /SL5="$203EE,8661598,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, ParentProcessId: 6672, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6528, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 6748, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcVirustotal: Detection: 37%Perma Link
Source: C:\Users\user\AppData\Local\Temp\is-9O7QN.tmp\update.vbcReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\is-ILE5B.tmp\update.vbcReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeVirustotal: Detection: 11%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.3% probability
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000F.00000003.1285284496.0000000003C80000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000F.00000003.1285324669.00000000012E0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.15.dr
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6CFEE090 FindFirstFileA,FindClose,6_2_6CFEE090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B96868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00B96868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B97496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00B97496
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: time.windows.com
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000003.1227254428.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000003.1227254428.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000003.1227254428.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000003.1227254428.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000003.1227254428.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000003.1227254428.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000003.1227254428.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000003.1227254428.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000003.1227254428.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000003.1227254428.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000003.1227254428.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000003.1227254428.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000003.1227254428.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000003.1227254428.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000003.1227254428.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000003.1227254428.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000003.1227254428.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://ocsp.digicert.com0X
Source: svchost.exe, 0000000C.00000002.1382776835.00000262C6413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000003.1227254428.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000003.1227254428.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.dr, update.vbc.2.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: svchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 0000000C.00000002.1382912084.00000262C6442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1380884528.00000262C646E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1383041058.00000262C6463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381660409.00000262C645A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1383125839.00000262C6470000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381359946.00000262C6462000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381753949.00000262C6441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.1380884528.00000262C646E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1383125839.00000262C6470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.1383085146.00000262C6468000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381314173.00000262C6467000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000002.1383163779.00000262C6477000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1380630394.00000262C6475000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000002.1383041058.00000262C6463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381660409.00000262C645A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381359946.00000262C6462000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382854271.00000262C642B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.1383085146.00000262C6468000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382854271.00000262C642B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381314173.00000262C6467000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000C.00000002.1383041058.00000262C6463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381359946.00000262C6462000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382854271.00000262C642B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000002.1382912084.00000262C6442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381753949.00000262C6441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000002.1382912084.00000262C6442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1383041058.00000262C6463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381359946.00000262C6462000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381753949.00000262C6441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000C.00000003.1381816030.00000262C6431000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1383041058.00000262C6463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381359946.00000262C6462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.1381753949.00000262C6441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000002.1383041058.00000262C6463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381359946.00000262C6462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000002.1382912084.00000262C6442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381508865.00000262C645E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381753949.00000262C6441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000003.1381527881.00000262C645D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.1383085146.00000262C6468000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382854271.00000262C642B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381314173.00000262C6467000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: svchost.exe, 0000000C.00000003.1381753949.00000262C6441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000C.00000003.1381716191.00000262C6449000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381753949.00000262C6441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.1381816030.00000262C6431000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381687688.00000262C644A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381716191.00000262C6449000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381753949.00000262C6441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000002.1382854271.00000262C642B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe, 00000000.00000003.1216526476.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe, 00000000.00000003.1216995984.000000007EE4B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000000.1218550263.00000000007A1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000000.1230447006.000000000030D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp.5.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe, 00000000.00000003.1216526476.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe, 00000000.00000003.1216995984.000000007EE4B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000000.1218550263.00000000007A1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000000.1230447006.000000000030D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp.5.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: update.vbc.2.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ#
Source: update.vbc.6.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6CE73886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CE73886
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6CFF8810 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6CFF8810
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6CE73C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CE73C62
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6CFF9450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CFF9450
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6CE73D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CE73D62
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6CE73D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CE73D18
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6CE739CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CE739CF
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6CE73A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CE73A6A
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6CE71950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6CE71950
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6CE74754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6CE74754
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6CE747546_2_6CE74754
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D1D8D126_2_6D1D8D12
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D144F0A6_2_6D144F0A
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6CFF48606_2_6CFF4860
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D1CB06F6_2_6D1CB06F
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D1638816_2_6D163881
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6CFFA1336_2_6CFFA133
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D17CB306_2_6D17CB30
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D107A466_2_6D107A46
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D07AD436_2_6D07AD43
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0A6D506_2_6D0A6D50
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D084F116_2_6D084F11
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0ACE806_2_6D0ACE80
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0AC9F06_2_6D0AC9F0
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D09889F6_2_6D09889F
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0A2A506_2_6D0A2A50
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0A4AA06_2_6D0A4AA0
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0A0AD06_2_6D0A0AD0
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0B25C06_2_6D0B25C0
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0725EC6_2_6D0725EC
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D04840A6_2_6D04840A
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0CC7006_2_6D0CC700
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0C67C06_2_6D0C67C0
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0C26406_2_6D0C2640
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D09E6506_2_6D09E650
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0AC6E06_2_6D0AC6E0
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0AA1F06_2_6D0AA1F0
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0B20506_2_6D0B2050
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0460926_2_6D046092
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0B03806_2_6D0B0380
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0B02806_2_6D0B0280
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0A9D106_2_6D0A9D10
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D059CE06_2_6D059CE0
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D02BEA16_2_6D02BEA1
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D045EC96_2_6D045EC9
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D07DEEF6_2_6D07DEEF
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0B1EF06_2_6D0B1EF0
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0A99006_2_6D0A9900
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0BD9306_2_6D0BD930
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0BB9506_2_6D0BB950
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D02B9726_2_6D02B972
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0A18106_2_6D0A1810
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0B98206_2_6D0B9820
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0778966_2_6D077896
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0BF8D06_2_6D0BF8D0
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D043B666_2_6D043B66
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D09DB906_2_6D09DB90
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D033BCA6_2_6D033BCA
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0C1BC06_2_6D0C1BC0
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D083A526_2_6D083A52
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0B7AA06_2_6D0B7AA0
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0955216_2_6D095521
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0BB5206_2_6D0BB520
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0A55806_2_6D0A5580
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0AF5806_2_6D0AF580
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0A75D06_2_6D0A75D0
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D08B4AC6_2_6D08B4AC
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0B14D06_2_6D0B14D0
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0B97A06_2_6D0B97A0
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D02F7CF6_2_6D02F7CF
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D08F7F36_2_6D08F7F3
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0C16006_2_6D0C1600
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0A30206_2_6D0A3020
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0B10E06_2_6D0B10E0
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0B67506_2_6D0B6750
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0B9AF06_2_6D0B9AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BD81EC10_2_00BD81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C181C010_2_00C181C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C2824010_2_00C28240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C0425010_2_00C04250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C2C3C010_2_00C2C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C204C810_2_00C204C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C0865010_2_00C08650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C0C95010_2_00C0C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BE094310_2_00BE0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C08C2010_2_00C08C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C24EA010_2_00C24EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C20E0010_2_00C20E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BF10AC10_2_00BF10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C1D08910_2_00C1D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C291C010_2_00C291C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C0D1D010_2_00C0D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C1518010_2_00C15180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C2112010_2_00C21120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C2D2C010_2_00C2D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BF53F310_2_00BF53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B953CF10_2_00B953CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C254D010_2_00C254D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BDD49610_2_00BDD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C2D47010_2_00C2D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C2155010_2_00C21550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B9157210_2_00B91572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C1D6A010_2_00C1D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BE965210_2_00BE9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B997CA10_2_00B997CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BA976610_2_00BA9766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C2D9E010_2_00C2D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B91AA110_2_00B91AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C15E8010_2_00C15E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C15F8010_2_00C15F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BAE00A10_2_00BAE00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C122E010_2_00C122E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C3230010_2_00C32300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BFE49F10_2_00BFE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C125F010_2_00C125F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C066D010_2_00C066D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C0A6A010_2_00C0A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C2E99010_2_00C2E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C12A8010_2_00C12A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BEAB1110_2_00BEAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C16CE010_2_00C16CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C170D010_2_00C170D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C0B18010_2_00C0B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BFB12110_2_00BFB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C2720010_2_00C27200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C2F3C010_2_00C2F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BBB3E410_2_00BBB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C1F3A010_2_00C1F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C0741010_2_00C07410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C1F42010_2_00C1F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C2F59910_2_00C2F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C0F50010_2_00C0F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C3351A10_2_00C3351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C2353010_2_00C23530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C3360110_2_00C33601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C277C010_2_00C277C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C0379010_2_00C03790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BBF8E010_2_00BBF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C0F91010_2_00C0F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C17AF010_2_00C17AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BE3AEF10_2_00BE3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BABAC910_2_00BABAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BABC9210_2_00BABC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C17C5010_2_00C17C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C0FDF010_2_00C0FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: String function: 6D0C9F10 appears 682 times
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: String function: 6D02C240 appears 52 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00C2FB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00B928E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00B91E40 appears 150 times
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe, 00000000.00000003.1216526476.000000000310E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNamehDaOI1vvTJ2.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe, 00000000.00000000.1215270732.0000000000899000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNamehDaOI1vvTJ2.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe, 00000000.00000003.1216995984.000000007F14A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNamehDaOI1vvTJ2.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeBinary or memory string: OriginalFileNamehDaOI1vvTJ2.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.15.drBinary string: \Device\TfSysMon
Source: tProtect.dll.15.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal100.evad.winEXE@130/31@1/0
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6CFF9450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CFF9450
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B99313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_00B99313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BA3D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00BA3D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B99252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_00B99252
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6CFF8930 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,Process32NextW,6_2_6CFF8930
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpFile created: C:\Program Files (x86)\Windows NT\is-SI551.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7212:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7840:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5472:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7680:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7252:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6728:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1540:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7636:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7024:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7352:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7172:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7432:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7500:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7924:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7568:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7696:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7996:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8068:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3284:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8168:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2356:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7480:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeFile created: C:\Users\user~1\AppData\Local\Temp\is-PRNL3.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeVirustotal: Detection: 11%
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp "C:\Users\user~1\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp" /SL5="$203EE,8661598,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe"
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp "C:\Users\user~1\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp" /SL5="$10412,8661598,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp "C:\Users\user~1\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp" /SL5="$203EE,8661598,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp "C:\Users\user~1\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp" /SL5="$10412,8661598,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: w32time.dll
Source: C:\Windows\System32\svchost.exeSection loaded: logoncli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vmictimeprovider.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeStatic file information: File size 9615883 > 1048576
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000F.00000003.1285284496.0000000003C80000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000F.00000003.1285324669.00000000012E0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.15.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C157D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00C157D0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x343743
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343743
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeStatic PE information: real checksum: 0x0 should be: 0x939afb
Source: update.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: update.vbc.2.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: tProtect.dll.15.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp.0.drStatic PE information: section name: .didata
Source: update.vbc.2.drStatic PE information: section name: .00cfg
Source: update.vbc.2.drStatic PE information: section name: .voltbl
Source: update.vbc.2.drStatic PE information: section name: .aQ#
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ#
Source: update.vbc.6.drStatic PE information: section name: .00cfg
Source: update.vbc.6.drStatic PE information: section name: .voltbl
Source: update.vbc.6.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6CFFBDDB push ecx; ret 6_2_6CFFBDEE
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6CEA0F00 push ss; retn 0001h6_2_6CEA0F0A
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D02E9F4 push 004AC35Ch; ret 6_2_6D02EA0E
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0CA290 push eax; ret 6_2_6D0CA2BE
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0C9F10 push eax; ret 6_2_6D0C9F2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B945F4 push 00C3C35Ch; ret 10_2_00B9460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C2FB10 push eax; ret 10_2_00C2FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C2FE90 push eax; ret 10_2_00C2FEBE
Source: update.vbc.2.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: update.vbc.6.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-9O7QN.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-ILE5B.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeFile created: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-9O7QN.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-ILE5B.tmp\update.vbcJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeFile created: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-ILE5B.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-9O7QN.tmp\update.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6468Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2924Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpWindow / User API: threadDelayed 657Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpWindow / User API: threadDelayed 642Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpWindow / User API: threadDelayed 625Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9O7QN.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-ILE5B.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9O7QN.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-ILE5B.tmp\update.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.7 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7140Thread sleep time: -9223372036854770s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6CFEE090 FindFirstFileA,FindClose,6_2_6CFEE090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B96868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00B96868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B97496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00B97496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B99C60 GetSystemInfo,10_2_00B99C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: svchost.exe, 00000011.00000002.1425238168.00000257B7E2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\W
Source: svchost.exe, 00000011.00000002.1425437704.00000257B7E4F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000011.00000002.1425715628.00000257B7E80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:8
Source: svchost.exe, 00000011.00000002.1425590300.00000257B7E73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000002.1244739925.0000000000DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}47t_
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000002.1244739925.0000000000DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000011.00000002.1424673734.00000257B7E00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000011.00000002.1425715628.00000257B7E80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000011.00000002.1425238168.00000257B7E2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000011.00000002.1425437704.00000257B7E4F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000003E.00000002.1424328398.0000023E83630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000011.00000002.1425590300.00000257B7E64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000e1}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6CE73886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6CE73886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D003871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6D003871
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C157D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00C157D0
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D00D425 mov eax, dword ptr fs:[00000030h]6_2_6D00D425
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D00D456 mov eax, dword ptr fs:[00000030h]6_2_6D00D456
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D00286D mov eax, dword ptr fs:[00000030h]6_2_6D00286D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D003871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6D003871
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6CFFC3AD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6CFFC3AD

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.15.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmpCode function: 6_2_6D0CA700 cpuid 6_2_6D0CA700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B9AB2A GetSystemTimeAsFileTime,10_2_00B9AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00C30090 GetVersion,10_2_00C30090

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATEJump to behavior
Source: svchost.exe, 00000016.00000002.1431038919.0000027F14702000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		2
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API		1
Windows Service		1
Access Token Manipulation		1
Deobfuscate/Decode Files or Information		LSASS Memory3
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
Command and Scripting Interpreter		Logon Script (Windows)1
Windows Service		3
Obfuscated Files or Information		Security Account Manager36
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Service Execution		Login Hook111
Process Injection		1
Software Packing		NTDS461
Security Software Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets251
Virtualization/Sandbox Evasion		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Masquerading		Cached Domain Credentials2
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items251
Virtualization/Sandbox Evasion		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Access Token Manipulation		Proc Filesystem2
System Owner/User Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
Process Injection		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580552 Sample: #U5b89#U88c5#U7a0b#U5e8f_1.... Startdate: 25/12/2024 Architecture: WINDOWS Score: 100 90 time.windows.com 2->90 92 Multi AV Scanner detection for dropped file 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 Found driver which could be used to inject code into processes 2->96 98 3 other signatures 2->98 11 #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe 2 2->11         started        14 svchost.exe 2->14         started        17 cmd.exe 2->17         started        19 31 other processes 2->19 signatures3 process4 file5 86 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, PE32 11->86 dropped 21 #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp 3 5 11->21         started        112 Changes security center settings (notifications, updates, antivirus, firewall) 14->112 25 sc.exe 1 17->25         started        27 sc.exe 1 19->27         started        29 sc.exe 1 19->29         started        31 sc.exe 1 19->31         started        33 22 other processes 19->33 signatures6 process7 file8 74 C:\Users\user\AppData\Local\...\update.vbc, PE32 21->74 dropped 76 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->76 dropped 100 Adds a directory exclusion to Windows Defender 21->100 35 #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe 2 21->35         started        38 powershell.exe 23 21->38         started        41 conhost.exe 25->41         started        43 Conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 21 other processes 33->53 signatures9 process10 file11 72 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, PE32 35->72 dropped 55 #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp 4 15 35->55         started        102 Loading BitLocker PowerShell Module 38->102 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures12 process13 file14 78 C:\Users\user\AppData\Local\...\update.vbc, PE32 55->78 dropped 80 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 55->80 dropped 82 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->82 dropped 84 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 55->84 dropped 104 Query firmware table information (likely to detect VMs) 55->104 106 Protects its processes via BreakOnTermination flag 55->106 108 Hides threads from debuggers 55->108 110 Contains functionality to hide a thread from the debugger 55->110 63 7zr.exe 2 55->63         started        66 7zr.exe 7 55->66         started        signatures15 process16 file17 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process18

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe11%VirustotalBrowse
#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe5%ReversingLabsWin32.Trojan.Generic

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc26%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc38%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll6%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-9O7QN.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-9O7QN.tmp\update.vbc26%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-ILE5B.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-ILE5B.tmp\update.vbc26%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
time.windows.com
unknown
unknownfalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exefalse
        		high
        https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000C.00000002.1383085146.00000262C6468000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381314173.00000262C6467000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000C.00000003.1381753949.00000262C6441000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 0000000C.00000002.1383163779.00000262C6477000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1380630394.00000262C6475000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000C.00000002.1383085146.00000262C6468000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382854271.00000262C642B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381314173.00000262C6467000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 0000000C.00000002.1383041058.00000262C6463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381359946.00000262C6462000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382854271.00000262C642B000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000C.00000003.1381816030.00000262C6431000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381687688.00000262C644A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381716191.00000262C6449000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381753949.00000262C6441000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 0000000C.00000002.1382912084.00000262C6442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381508865.00000262C645E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381753949.00000262C6441000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000C.00000002.1382912084.00000262C6442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1383041058.00000262C6463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381359946.00000262C6462000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381753949.00000262C6441000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000C.00000003.1381716191.00000262C6449000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381753949.00000262C6441000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000C.00000002.1382912084.00000262C6442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1380884528.00000262C646E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1383041058.00000262C6463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381660409.00000262C645A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1383125839.00000262C6470000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381359946.00000262C6462000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381753949.00000262C6441000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000C.00000002.1382854271.00000262C642B000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000C.00000003.1381753949.00000262C6441000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000C.00000002.1382912084.00000262C6442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381753949.00000262C6441000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://dynamic.tsvchost.exe, 0000000C.00000003.1381527881.00000262C645D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.remobjects.com/ps#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe, 00000000.00000003.1216526476.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe, 00000000.00000003.1216995984.000000007EE4B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000000.1218550263.00000000007A1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000000.1230447006.000000000030D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp.5.drfalse
                                                  		high
                                                  https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.innosetup.com/#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe, 00000000.00000003.1216526476.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe, 00000000.00000003.1216995984.000000007EE4B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000002.00000000.1218550263.00000000007A1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp, 00000006.00000000.1230447006.000000000030D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp.5.drfalse
                                                      		high
                                                      https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=svchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000C.00000002.1383041058.00000262C6463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381359946.00000262C6462000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.bingmapsportal.comsvchost.exe, 0000000C.00000002.1382776835.00000262C6413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000C.00000003.1381787265.00000262C6457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382972749.00000262C6458000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000C.00000002.1383041058.00000262C6463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381660409.00000262C645A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381359946.00000262C6462000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382854271.00000262C642B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000C.00000002.1383085146.00000262C6468000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1382854271.00000262C642B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381314173.00000262C6467000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000C.00000003.1380884528.00000262C646E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1383125839.00000262C6470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000C.00000003.1381816030.00000262C6431000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1383041058.00000262C6463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1381359946.00000262C6462000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high

                                                                        World Map of Contacted IPs

                                                                        No contacted IP infos

                                                                        General Information

                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                        Analysis ID:1580552
                                                                        Start date and time:2024-12-25 04:31:08 +01:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 9m 30s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Number of analysed new started processes analysed:98
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Critical Process Termination
                                                                        Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe
                                                                        renamed because original name is a hash value
                                                                        Original Sample Name:_1.1.3.exe
                                                                        Detection:MAL
                                                                        Classification:mal100.evad.winEXE@130/31@1/0
                                                                        EGA Information:
                                                                        • Successful, ratio: 100%
                                                                        HCA Information:
                                                                        • Successful, ratio: 74%
                                                                        • Number of executed functions: 27
                                                                        • Number of non-executed functions: 118
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .exe

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): dllhost.exe
                                                                        • Excluded IPs from analysis (whitelisted): 40.81.94.65, 13.107.246.63, 4.245.163.56
                                                                        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        22:32:00API Interceptor1x Sleep call for process: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp modified
                                                                        22:32:03API Interceptor31x Sleep call for process: powershell.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        No context

                                                                        Domains

                                                                        No context

                                                                        ASNs

                                                                        No context

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeGet hashmaliciousUnknownBrowse
                                                                          #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
                                                                            #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
                                                                              #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse
                                                                                #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse
                                                                                  #U5b89#U88c5#U52a9#U624b2.0.6.exeGet hashmaliciousUnknownBrowse
                                                                                    #U5b89#U88c5#U52a9#U624b2.0.7.exeGet hashmaliciousUnknownBrowse
                                                                                      #U5b89#U88c5#U52a9#U624b2.0.5.exeGet hashmaliciousUnknownBrowse
                                                                                        #U5b89#U88c5#U52a9#U624b2.0.4.exeGet hashmaliciousUnknownBrowse
                                                                                          #U5b89#U88c5#U52a9#U624b2.0.2.exeGet hashmaliciousUnknownBrowse

                                                                                            Created / dropped Files

                                                                                            C:\Program Files (x86)\Windows NT\7zr.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp
                                                                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):831200
                                                                                            Entropy (8bit):6.671005303304742
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                                                                            MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                                                                            SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                                                                            SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                                                                            SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                            Joe Sandbox View:
                                                                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, Detection: malicious, Browse
                                                                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, Detection: malicious, Browse
                                                                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, Detection: malicious, Browse
                                                                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                                                                                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                                                                                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.6.exe, Detection: malicious, Browse
                                                                                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.7.exe, Detection: malicious, Browse
                                                                                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.5.exe, Detection: malicious, Browse
                                                                                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.4.exe, Detection: malicious, Browse
                                                                                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.2.exe, Detection: malicious, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                                                                                            C:\Program Files (x86)\Windows NT\file.dat (copy)

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):3111729
                                                                                            Entropy (8bit):7.999929974892463
                                                                                            Encrypted:true
                                                                                            SSDEEP:49152:yNbF5P6NhJN7cusiowH2dBewa5rLil0XzqHue/x4dCnji+zZZXjjCkTU:y1AJBawEBewa5PotZjjnZzu
                                                                                            MD5:A6C66A8295A62E4A12B9ED299BB083BA
                                                                                            SHA1:BD2524499B96AEB6C34DCB2215725C8FE38E257F
                                                                                            SHA-256:A5F06DA21A2F31543917A0EE5406FB7F1763C54A7A864A029983326316E7B2ED
                                                                                            SHA-512:0BFE96D08D6BCC46A3E7EE54E0477EA98D09B3FA1A3E4842D7FB25B6DB10884D0D7ACF71DF0E82194AA4EEAE7B8552817147DE4B059DED161A6396A25F34F41A
                                                                                            Malicious:false
                                                                                            Preview:.@S......._,.................K.r.j..}.}/.1...r..m..F.<...|...a.Lq....t.@|...65L:.....\k..A...._......y...Sy.#..YE..RS=.'I..".`...Z.H....-...Q.Jr&P.......S..o..1D....q..t........v;....H..y..3.4"..........B.;........X5Ox.To..?*......S.EXB5/..$.v..8c/b=.(.Z..v.F-2.^....~...*ntS0..o..!..Z..v..2....w-.+>..9.5...p..'..Z.:..x.G..s.i..H.....2.>....Iq..5i.p.:$..8M.1.5...eW.R....-....@w.......w....d"j....t<.2@...V....&..4,...'....#k.........0.!'w...r....|<.."..V..jX..*.....|........P7.#j5%.r.$P.7..Y.+U..(.....k.gz..<VrC..$..a..:..7..8jv..M/Y.....s..5.;......1..<..3d>R"..<..@QR/[dK.D...=..z.6.........x.rt..5..........N.[=....*..}*.......6.J.O.nT.3.?..;..[B.Y.v.7.z..8....j. Aa).._....P.n$.`...JA..z.........+....WV]..../h..a.. ....HNl..w.;...W@.o.Xw.4..k...z^.j.F...Nt...R.`.k...=..5A..P.1...l....&..LG...yp...o.=,.....F.....(.<L.M..z.`A.K.ZR.U..9.t.=....;p....d.E.(....Z...6Z...._..VN..c..t....{.8e.H...e.....N..,.......&.x...'A..V.....F..3......:...k.

                                                                                            C:\Program Files (x86)\Windows NT\hrsw.vbc

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):3621376
                                                                                            Entropy (8bit):7.006090025798393
                                                                                            Encrypted:false
                                                                                            SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                                                                            MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                                                                            SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                                                                            SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                                                                            SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 26%
                                                                                            • Antivirus: Virustotal, Detection: 38%, Browse
                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                                                                            C:\Program Files (x86)\Windows NT\is-SI551.tmp

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):3111729
                                                                                            Entropy (8bit):7.999929974892463
                                                                                            Encrypted:true
                                                                                            SSDEEP:49152:yNbF5P6NhJN7cusiowH2dBewa5rLil0XzqHue/x4dCnji+zZZXjjCkTU:y1AJBawEBewa5PotZjjnZzu
                                                                                            MD5:A6C66A8295A62E4A12B9ED299BB083BA
                                                                                            SHA1:BD2524499B96AEB6C34DCB2215725C8FE38E257F
                                                                                            SHA-256:A5F06DA21A2F31543917A0EE5406FB7F1763C54A7A864A029983326316E7B2ED
                                                                                            SHA-512:0BFE96D08D6BCC46A3E7EE54E0477EA98D09B3FA1A3E4842D7FB25B6DB10884D0D7ACF71DF0E82194AA4EEAE7B8552817147DE4B059DED161A6396A25F34F41A
                                                                                            Malicious:false
                                                                                            Preview:.@S......._,.................K.r.j..}.}/.1...r..m..F.<...|...a.Lq....t.@|...65L:.....\k..A...._......y...Sy.#..YE..RS=.'I..".`...Z.H....-...Q.Jr&P.......S..o..1D....q..t........v;....H..y..3.4"..........B.;........X5Ox.To..?*......S.EXB5/..$.v..8c/b=.(.Z..v.F-2.^....~...*ntS0..o..!..Z..v..2....w-.+>..9.5...p..'..Z.:..x.G..s.i..H.....2.>....Iq..5i.p.:$..8M.1.5...eW.R....-....@w.......w....d"j....t<.2@...V....&..4,...'....#k.........0.!'w...r....|<.."..V..jX..*.....|........P7.#j5%.r.$P.7..Y.+U..(.....k.gz..<VrC..$..a..:..7..8jv..M/Y.....s..5.;......1..<..3d>R"..<..@QR/[dK.D...=..z.6.........x.rt..5..........N.[=....*..}*.......6.J.O.nT.3.?..;..[B.Y.v.7.z..8....j. Aa).._....P.n$.`...JA..z.........+....WV]..../h..a.. ....HNl..w.;...W@.o.Xw.4..k...z^.j.F...Nt...R.`.k...=..5A..P.1...l....&..LG...yp...o.=,.....F.....(.<L.M..z.`A.K.ZR.U..9.t.=....;p....d.E.(....Z...6Z...._..VN..c..t....{.8e.H...e.....N..,.......&.x...'A..V.....F..3......:...k.

                                                                                            C:\Program Files (x86)\Windows NT\locale.bin

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):56546
                                                                                            Entropy (8bit):7.996547741578841
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:vYx9DDO+PpMccLkXAD4Je/5yVQeyUSpU0t:A9DDxpoJ8u5QQeyUUX
                                                                                            MD5:70512377725C8C2F0797DA2BAB1DCF6B
                                                                                            SHA1:6297F4F31F46A3A0EB81B1F684997F6FACC0DA8F
                                                                                            SHA-256:023BAE09ACBCD4B82068EAEBB25BD0796F3D3B1E456B5F1081B8291231A9E38E
                                                                                            SHA-512:5771134837D9EE918FD06B4C35BC9C41BA3BFCCDD2401F5CA25E760EE97F7132D9F97EBE16638C8BFD2B532870B4606B70B01656C542CF7E45888B31141B919C
                                                                                            Malicious:false
                                                                                            Preview:.@S.......al ..............zN..Y.....9.N......*........".....XP......8h.Y..........v......v..z..\k.7..:..>.8..............E.\.}.z.t...DV.........u.$-.0.4.t.;.E....xS......H...;....2.U............Rc..l."$....#...FG.1D*..M.yb.36..:~qS$.s5...dF.edd.....C}..._...o...@}F.b....6F.\.6......t?..B..iO..._5wn.3Zn'<.8..1..C...y+;NI...}.....8Q.n./..../.......q..+.V.....w........zW....fv..p3..Z...#.... .. ..'O.+....\. ......5.....W.@C....;.^....Z.....S..4....1Z...../t...\......`.d..\.].r.A..':.WW!...V....d_....9L.....m3..O...sLN.LG.........M@l...j....Y{|...?L<..&......sU.......&...%h...)...xg...fBVZ9..$-..>...zM.R...6.j#..R.-..-uo....I.`...g#}..z.d....t..R....'k.;.<.w........H.d...X..?+>%/x..q..K......$...n..Ya,.6.O.r@).B...{..*Y...P..5.v6.....8.<..r....x.}.._i....e..j...=.qd..,"......G9m5./=.v.h..!9.;0&......x;r .\.Cz9....d#2..!8....2:@~2..\Q..Q.KK..].Q.b.Hv.h..b~1p....%.R...n....;....[.KB+Z[..&<....)..PV\......=m~.&h..'/..=..y..$G..aB7.LN.-

                                                                                            C:\Program Files (x86)\Windows NT\locale.dat

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp
                                                                                            File Type:7-zip archive data, version 0.4
                                                                                            Category:dropped
                                                                                            Size (bytes):56546
                                                                                            Entropy (8bit):7.996547741578837
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:UK6Ql/7n7xPPY3/UO3Z+j3i1VDXZfNStgbQ3AVm1:vR571w3/UX3OdZlSObW4m1
                                                                                            MD5:F055B639FAE58811A741D70827D7432D
                                                                                            SHA1:5FBF72CC586245BC4EFCB6C3B774BE271C905FC6
                                                                                            SHA-256:2CCAA8DBCC4922E9CE948D34EEE30D1D4068F1EB7604D20CD5D944B0AD0C512F
                                                                                            SHA-512:70755DF4F465A27E149533420FF4240896E8872D61C9CBCBD49B9AD16FA6B643D07A464D8A98539B5A703D35955AE29D91E77A0FF83C2EF1C9673207C35840C2
                                                                                            Malicious:false
                                                                                            Preview:7z..'....a8.........2.........gK.o.R'bT.,...MI....#.=+1....].hlu...13&...!.r"..H.w}WN.&i.*.HnSB.j..j.c.!}D.p..........LP_/.@.j.5.[.i....;e)o...s.'.D|.J...........R.......4^I.S.R.h..B.G..$.f....r{.aw8/3.........e^.........G...~..$..Y.....s..%0........x=h*e...T....7.y........e....>...y.]Rq..Fs.&.D..jQA........x.5..92A..MC........h..7..$.N.u...<..aKx(P.n?V...|K..{.xR9.2./.u...r.|9...QF-.../..E,.8+..Y.O<."..,:....mI.T.....yL.z.7.......J..;S......V..7..\..YE.'.u.....^......T..8....."O.....!.Kq..Y...O4.........?....%/iJ!p...C.@}&.........I.$".o....H..7C/.k...#.....,..#ae~.%..;.)Wr.elWC..U.X.5.R...+..Q[".....yO...b+.L..7.]e$.....Q..._...v....;..$....g.B.vt.%.3Q..0.4.W...b.+j.KmI.v.G.,r.F.).i.<D........g\..T..|..MLU.!..*..)...a.^"*.v.....,.......$..1.=..*C'nk...L...L..3..&.[......N...t8..e.......W..@..4}......IbC^.h...x.....I%A.....%...sV................!.N...a..@..G.0..i'.l~(..[.jft/......|.^..2@8 ..F.M.....I......].>)...W..y..F5l.lB....g.

                                                                                            C:\Program Files (x86)\Windows NT\locale2.bin

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):56546
                                                                                            Entropy (8bit):7.996966859255975
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                                                                            MD5:CEA69F993E1CE0FB945A98BF37A66546
                                                                                            SHA1:7114365265F041DA904574D1F5876544506F89BA
                                                                                            SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                                                                            SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                                                                            Malicious:false
                                                                                            Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                                                                                            C:\Program Files (x86)\Windows NT\locale2.dat

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp
                                                                                            File Type:7-zip archive data, version 0.4
                                                                                            Category:dropped
                                                                                            Size (bytes):56546
                                                                                            Entropy (8bit):7.996966859255979
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                                                                            MD5:4CB8B7E557C80FC7B014133AB834A042
                                                                                            SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                                                                            SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                                                                            SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                                                                            Malicious:false
                                                                                            Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                                                                                            C:\Program Files (x86)\Windows NT\locale3.bin

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):31890
                                                                                            Entropy (8bit):7.99402458740637
                                                                                            Encrypted:true
                                                                                            SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                                                                            MD5:8622FC7228777F64A47BD6C61478ADD9
                                                                                            SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                                                                            SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                                                                            SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                                                                            Malicious:false
                                                                                            Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                                                                                            C:\Program Files (x86)\Windows NT\locale3.dat

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp
                                                                                            File Type:7-zip archive data, version 0.4
                                                                                            Category:dropped
                                                                                            Size (bytes):31890
                                                                                            Entropy (8bit):7.99402458740637
                                                                                            Encrypted:true
                                                                                            SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                                                                            MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                                                                            SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                                                                            SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                                                                            SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                                                                            Malicious:false
                                                                                            Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                                                                                            C:\Program Files (x86)\Windows NT\locale4.bin

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):74960
                                                                                            Entropy (8bit):7.99759370165655
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                                                                            MD5:950338D50B95A25F494EE74E97B7B7A9
                                                                                            SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                                                                            SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                                                                            SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                                                                            Malicious:false
                                                                                            Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                                                                                            C:\Program Files (x86)\Windows NT\locale4.dat

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp
                                                                                            File Type:7-zip archive data, version 0.4
                                                                                            Category:dropped
                                                                                            Size (bytes):74960
                                                                                            Entropy (8bit):7.997593701656546
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                                                                            MD5:059BA7C31F3E227356CA5F29E4AA2508
                                                                                            SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                                                                            SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                                                                            SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                                                                            Malicious:false
                                                                                            Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                                                                                            C:\Program Files (x86)\Windows NT\locale7.bin

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):29730
                                                                                            Entropy (8bit):7.994290657653607
                                                                                            Encrypted:true
                                                                                            SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                                                                            MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                                                                            SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                                                                            SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                                                                            SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                                                                            Malicious:false
                                                                                            Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                                                                                            C:\Program Files (x86)\Windows NT\locale7.dat

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp
                                                                                            File Type:7-zip archive data, version 0.4
                                                                                            Category:modified
                                                                                            Size (bytes):29730
                                                                                            Entropy (8bit):7.994290657653608
                                                                                            Encrypted:true
                                                                                            SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                                                                            MD5:A9C8A3E00692F79E1BA9693003F85D18
                                                                                            SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                                                                            SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                                                                            SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                                                                            Malicious:false
                                                                                            Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                                                                                            C:\Program Files (x86)\Windows NT\res.dat

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp
                                                                                            File Type:7-zip archive data, version 0.4
                                                                                            Category:dropped
                                                                                            Size (bytes):3111729
                                                                                            Entropy (8bit):7.999929974892459
                                                                                            Encrypted:true
                                                                                            SSDEEP:49152:yqhmq4HpsdTlWsFUiCUDa2XH8LRkeEFwCo+UPfFHCDEdTFeIEyWn:yqhmqGSDRq+D3SJplwExF3Wn
                                                                                            MD5:09151B703C6D64734F11708B60A596B9
                                                                                            SHA1:72C0527CBFCC1DBDC65EA928E0849033A5A98369
                                                                                            SHA-256:D5E272CE202662E4F6251F97B672F431C3840F97C8839C98B1B63241EAE2E1A7
                                                                                            SHA-512:FF66F6C0D678AF9BBA98F21C3E9CEEF66BD201A8AC88779E22D9F0742570C5F72F7FA983954B30BAAE0DB772898D7DEB43957B6B7E3D2B42AB158DB6394155BB
                                                                                            Malicious:false
                                                                                            Preview:7z..'...*....z/.....A..............s....R...6j..#Fo....s....3W.}..VQ..."..DL'......R.u....S.qL;bQW.[sm...T..........$....j&...^Gpf.........n...a.@..2..[Y..[..?m........kh.|x...g$......rM.b...^j.@NCt6f..*Q.AT.d.0[.k.@......[C....=6.v..........:.t....c...9..............>L&.....M.|..Y..T.....-EXDJ.....L..3.v~)..9Z.y....9..9.=[.5.....R.S.[.t.l.p...Z3......l..<.h..t).....A.)..9b....C$o-.!...Ab:..4.+.dx.....3gl....G..9..]C..3..Y. ...$.O.$.l..t....e....U&.0..#..|c.z,..v.....F8y.D............jP.z.*....WH,.;..e5....j8..+.x.....S@..-,...[v/....tR.b.pw!.Q,.........Tv.........)_.L..5...nUV0.aA}w.`..+;...N"....`<.+..".fP..0...%0lXYU`...:.....H......6;....-{.w.h....f7)/V.......{...C......Qmo..g.t.P h.?....Cx4..S"h.@.Sq..?.W.........-.n8f.g.~....0..F{'..?.'.BY~....~....b..2..v.....x.x.O1...k...lyR..bw....V^....}C..$.s_O^u.&..u.R.]....../...=>.V....V[.....z..._..$.2.m.N.y."FD.n-..b.\D.Z..FStQ.....~.w.O(..n.....Y~p.J.....*S...'s....lP.Cd.5..4rLY.kp-.{

                                                                                            C:\Program Files (x86)\Windows NT\tProtect.dll

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                            File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):63640
                                                                                            Entropy (8bit):6.482810107683822
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                                                                            MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                                                                            SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                                                                            SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                                                                            SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 9%
                                                                                            • Antivirus: Virustotal, Detection: 6%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                                                                                            C:\Program Files (x86)\Windows NT\task.xml

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):4096
                                                                                            Entropy (8bit):3.353156097045723
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:dXKLzDlnmL6w0QldOVQOj933ODOiTdKbKsz72eW+5yF:dXazDlnbwhldOVQOj6dKbKsz7
                                                                                            MD5:721C2B05051A486EE8150BCB1ABF0673
                                                                                            SHA1:63B69C5AEA5EDB0E9BB0FB88D9F47F2BD05AAB26
                                                                                            SHA-256:76207BAE1387CF8E7A205F34EB8FEE94E36D2A701CE305B64764B86AF6C18684
                                                                                            SHA-512:F3D59295059DB2D7653E64CE1A7414030A284120B62159C90D4B5DA24678E3D01CCC6997FF07BCD6616DCED47FF3B317A838E612E67D979B39C090C9ABED943B
                                                                                            Malicious:false
                                                                                            Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\turminoob</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNe

                                                                                            C:\Program Files (x86)\Windows NT\trash

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):2861556
                                                                                            Entropy (8bit):7.999935771460119
                                                                                            Encrypted:true
                                                                                            SSDEEP:49152:Nahs+aExjyAr7g/Sdrwv0x3bgaGDGMshP+tgQ5V1GH9e4zm:NusCVdr6Ub8DrQP+LV1exq
                                                                                            MD5:981CF9504AFF676C52CDDE681594E3A6
                                                                                            SHA1:BAC2E890817E7747371910A3701F0A458AFE564A
                                                                                            SHA-256:F99BF28DD650DDF87809D287AC8A009B3FC69B12394FEA7D697F374FEF32C993
                                                                                            SHA-512:F529A449582BA5080ABB852AFB36E6B99C23653918035CE72F964D84E8406599798C6CEB4B9EB620219081C2FBF9B49D1A8C5E1B6AC029132399DE8FD5850561
                                                                                            Malicious:false
                                                                                            Preview:Y..+m.8$B..@..M..wX..._.@.....>^%R..A.^'O.zyC..GR.}..@.74h@.&............O]....O.k..b.|.R..P.......&..c....F........]....~.0.......4..4.R..S.~..}z..(.(K^...Vvu.....7Cw+/.3....a.\U3......)..O..I}..Q.....H._.z........P=...qQW......\...-C.x.....s,......p.Z.$......}I......:w............"..}....H.......5u&.(.fp.....)...@(..<>....t.7........hs.AW..#..o..:.../..1..P...>lZ.l.+q....O]...@_$.72......y.u.....BO2CZW..F.];......nt...n....6.tk(/1Ca<{O.K.@..;.. n....I...T..(. e..H....H...pC.+mT.8..X.....m. +.......\.FQ.....":.y..O64V..m...bv.zp.;J.Ed..._.....`n..CS....S.g......+yY....].GO5....Q.Va.....E>I.iR..../L........._.....Y.l2$P.l-t....ag)....o.[.s....85+....ha.(..~]....V+.x.2km.......UYF.;...g.:.....&;v....z..D3......hq............{..@.N.q. ..{`.4A2.....t+."......-p.tW.......j.J.=..zZ."?...VV..P.OLd...a...@...x..;kF]..:c...3..N@E.>..#...z.}..n9..e.aI]...:s,.....D.G.Mt...'.:y.N..P.!..G...-PS.c..6..Ja..G.b.m....n.a......!=...Y....'u)q......S

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):64
                                                                                            Entropy (8bit):1.1940658735648508
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Nlllul/nq/llh:NllUyt
                                                                                            MD5:AB80AD9A08E5B16132325DF5584B2CBE
                                                                                            SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                                                                                            SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                                                                                            SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                                                                                            Malicious:false
                                                                                            Preview:@...e................................................@..........

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b34maaz2.slu.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fpfdvnin.p1l.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ifanv5nb.lec.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mp4muasj.e55.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\is-9O7QN.tmp\_isetup\_setup64.tmp

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp
                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):6144
                                                                                            Entropy (8bit):4.720366600008286
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Temp\is-9O7QN.tmp\update.vbc

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):3621376
                                                                                            Entropy (8bit):7.006090025798393
                                                                                            Encrypted:false
                                                                                            SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                                                                            MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                                                                            SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                                                                            SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                                                                            SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 26%
                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Temp\is-ILE5B.tmp\_isetup\_setup64.tmp

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp
                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):6144
                                                                                            Entropy (8bit):4.720366600008286
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Temp\is-ILE5B.tmp\update.vbc

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                            Category:modified
                                                                                            Size (bytes):3621376
                                                                                            Entropy (8bit):7.006090025798393
                                                                                            Encrypted:false
                                                                                            SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                                                                            MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                                                                            SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                                                                            SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                                                                            SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 26%
                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Category:modified
                                                                                            Size (bytes):3366912
                                                                                            Entropy (8bit):6.530566795389592
                                                                                            Encrypted:false
                                                                                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                                                                            MD5:200D5FBEB088D930F68C926A324CF1A1
                                                                                            SHA1:9FF14E61CFE12DC1809D72FBC26EA2B35AF72506
                                                                                            SHA-256:7DD58D354806DF09C923556FE871297D9163B3155780CC8B7076FFA92D683EE3
                                                                                            SHA-512:5ECB2819122498EDC3E9E157DB92C522CCE148D72071B73EFF97D646D9E71099C86DFA0CB6933E311EB46E3986F69842938F657F90A079329441E03EE8C6464E
                                                                                            Malicious:true
                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                                                                            C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Category:modified
                                                                                            Size (bytes):3366912
                                                                                            Entropy (8bit):6.530566795389592
                                                                                            Encrypted:false
                                                                                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                                                                            MD5:200D5FBEB088D930F68C926A324CF1A1
                                                                                            SHA1:9FF14E61CFE12DC1809D72FBC26EA2B35AF72506
                                                                                            SHA-256:7DD58D354806DF09C923556FE871297D9163B3155780CC8B7076FFA92D683EE3
                                                                                            SHA-512:5ECB2819122498EDC3E9E157DB92C522CCE148D72071B73EFF97D646D9E71099C86DFA0CB6933E311EB46E3986F69842938F657F90A079329441E03EE8C6464E
                                                                                            Malicious:true
                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                                                                            \Device\ConDrv

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                            File Type:ASCII text, with CRLF, CR line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):406
                                                                                            Entropy (8bit):5.117520345541057
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                                                                            MD5:9200058492BCA8F9D88B4877F842C148
                                                                                            SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                                                                            SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                                                                            SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                                                                            Malicious:false
                                                                                            Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Entropy (8bit):7.966047028094111
                                                                                            TrID:
                                                                                            • Win32 Executable (generic) a (10002005/4) 98.04%
                                                                                            • Inno Setup installer (109748/4) 1.08%
                                                                                            • InstallShield setup (43055/19) 0.42%
                                                                                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                            File name:#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe
                                                                                            File size:9'615'883 bytes
                                                                                            MD5:b4a5718734eb335d7863f26f88508eae
                                                                                            SHA1:8ddc695505f8bbd6120021e237881f2b43e4cad4
                                                                                            SHA256:4fad9b626aab59dd99326ab62f605a7e53f23ca62f7604b491cdf3541e257a36
                                                                                            SHA512:6f9ea863acc2e30b2b88c2341aa6fc5f6917fe2064e71b12a212f38eaee4998829c0dafc4eb5813d697d54d33a2352605efb9a435d933222a95ecdd211ce6a2f
                                                                                            SSDEEP:196608:l8vIq25oT6jwqeWcbgrlWMaDpoAy6aaRs/:l8vt258+wqv+grLwMak
                                                                                            TLSH:7EA62322F2C7E43DE01E1B3B16B3A15494FB6A656822AD1786ECB4ECCF350501D3E697
                                                                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                            File Icon

                                                                                            Icon Hash:0c0c2d33ceec80aa

                                                                                            Static PE Info

                                                                                            General

                                                                                            Entrypoint:0x4a83bc
                                                                                            Entrypoint Section:.itext
                                                                                            Digitally signed:false
                                                                                            Imagebase:0x400000
                                                                                            Subsystem:windows gui
                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                            Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                                                                            TLS Callbacks:
                                                                                            CLR (.Net) Version:
                                                                                            OS Version Major:6
                                                                                            OS Version Minor:1
                                                                                            File Version Major:6
                                                                                            File Version Minor:1
                                                                                            Subsystem Version Major:6
                                                                                            Subsystem Version Minor:1
                                                                                            Import Hash:40ab50289f7ef5fae60801f88d4541fc

                                                                                            Entrypoint Preview

                                                                                            Instruction
                                                                                            push ebp
                                                                                            mov ebp, esp
                                                                                            add esp, FFFFFFA4h
                                                                                            push ebx
                                                                                            push esi
                                                                                            push edi
                                                                                            xor eax, eax
                                                                                            mov dword ptr [ebp-3Ch], eax
                                                                                            mov dword ptr [ebp-40h], eax
                                                                                            mov dword ptr [ebp-5Ch], eax
                                                                                            mov dword ptr [ebp-30h], eax
                                                                                            mov dword ptr [ebp-38h], eax
                                                                                            mov dword ptr [ebp-34h], eax
                                                                                            mov dword ptr [ebp-2Ch], eax
                                                                                            mov dword ptr [ebp-28h], eax
                                                                                            mov dword ptr [ebp-14h], eax
                                                                                            mov eax, 004A2EBCh
                                                                                            call 00007F6524D9D6C5h
                                                                                            xor eax, eax
                                                                                            push ebp
                                                                                            push 004A8AC1h
                                                                                            push dword ptr fs:[eax]
                                                                                            mov dword ptr fs:[eax], esp
                                                                                            xor edx, edx
                                                                                            push ebp
                                                                                            push 004A8A7Bh
                                                                                            push dword ptr fs:[edx]
                                                                                            mov dword ptr fs:[edx], esp
                                                                                            mov eax, dword ptr [004B0634h]
                                                                                            call 00007F6524E2F04Bh
                                                                                            call 00007F6524E2EB9Eh
                                                                                            lea edx, dword ptr [ebp-14h]
                                                                                            xor eax, eax
                                                                                            call 00007F6524E29878h
                                                                                            mov edx, dword ptr [ebp-14h]
                                                                                            mov eax, 004B41F4h
                                                                                            call 00007F6524D97773h
                                                                                            push 00000002h
                                                                                            push 00000000h
                                                                                            push 00000001h
                                                                                            mov ecx, dword ptr [004B41F4h]
                                                                                            mov dl, 01h
                                                                                            mov eax, dword ptr [0049CD14h]
                                                                                            call 00007F6524E2ABA3h
                                                                                            mov dword ptr [004B41F8h], eax
                                                                                            xor edx, edx
                                                                                            push ebp
                                                                                            push 004A8A27h
                                                                                            push dword ptr fs:[edx]
                                                                                            mov dword ptr fs:[edx], esp
                                                                                            call 00007F6524E2F0D3h
                                                                                            mov dword ptr [004B4200h], eax
                                                                                            mov eax, dword ptr [004B4200h]
                                                                                            cmp dword ptr [eax+0Ch], 01h
                                                                                            jne 00007F6524E35DBAh
                                                                                            mov eax, dword ptr [004B4200h]
                                                                                            mov edx, 00000028h
                                                                                            call 00007F6524E2B498h
                                                                                            mov edx, dword ptr [004B4200h]

                                                                                            Data Directories

                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                            Sections

                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                            .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                            .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                            .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                            .rsrc0xcb0000x110000x1100023f2a59769c97b61b46647d7c62c27d8False0.1877154181985294data3.722759106865021IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                            Resources

                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                            RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                                                                            RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                                                                            RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                                                                            RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                                                                            RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                                                                            RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                                                                            RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                                                                            RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                                                                            RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                                                                            RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                                                                            RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                                                                            RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                                                                            RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                                                                            RT_STRING0xd8e000x3f8data0.3198818897637795
                                                                                            RT_STRING0xd91f80x2dcdata0.36475409836065575
                                                                                            RT_STRING0xd94d40x430data0.40578358208955223
                                                                                            RT_STRING0xd99040x44cdata0.38636363636363635
                                                                                            RT_STRING0xd9d500x2d4data0.39226519337016574
                                                                                            RT_STRING0xda0240xb8data0.6467391304347826
                                                                                            RT_STRING0xda0dc0x9cdata0.6410256410256411
                                                                                            RT_STRING0xda1780x374data0.4230769230769231
                                                                                            RT_STRING0xda4ec0x398data0.3358695652173913
                                                                                            RT_STRING0xda8840x368data0.3795871559633027
                                                                                            RT_STRING0xdabec0x2a4data0.4275147928994083
                                                                                            RT_RCDATA0xdae900x10data1.5
                                                                                            RT_RCDATA0xdaea00x310data0.6173469387755102
                                                                                            RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                                                                                            RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                                                                            RT_VERSION0xdb2980x584dataEnglishUnited States0.2754957507082153
                                                                                            RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                                                                            Imports

                                                                                            DLLImport
                                                                                            kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                                                            comctl32.dllInitCommonControls
                                                                                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                                                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                                                            advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                                                                                            Exports

                                                                                            NameOrdinalAddress
                                                                                            __dbk_fcall_wrapper20x40fc10
                                                                                            dbkFCallWrapperAddr10x4b063c

                                                                                            Possible Origin

                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                            EnglishUnited States

                                                                                            Network Behavior

                                                                                            Network Port Distribution

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Dec 25, 2024 04:32:10.023499012 CET4939053192.168.2.71.1.1.1

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                            Dec 25, 2024 04:32:10.023499012 CET192.168.2.71.1.1.10x38c8Standard query (0)time.windows.comA (IP address)IN (0x0001)false

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                            Dec 25, 2024 04:32:10.160656929 CET1.1.1.1192.168.2.70x38c8No error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false

                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            General

                                                                                            Target ID:0
                                                                                            Start time:22:31:59
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe"
                                                                                            Imagebase:0x7e0000
                                                                                            File size:9'615'883 bytes
                                                                                            MD5 hash:B4A5718734EB335D7863F26F88508EAE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:Borland Delphi
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:2
                                                                                            Start time:22:31:59
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Users\user\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user~1\AppData\Local\Temp\is-PRNL3.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp" /SL5="$203EE,8661598,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe"
                                                                                            Imagebase:0x7a0000
                                                                                            File size:3'366'912 bytes
                                                                                            MD5 hash:200D5FBEB088D930F68C926A324CF1A1
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:Borland Delphi
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:3
                                                                                            Start time:22:32:00
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                                                                            Imagebase:0x7ff741d30000
                                                                                            File size:452'608 bytes
                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:4
                                                                                            Start time:22:32:00
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:5
                                                                                            Start time:22:32:00
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe" /VERYSILENT
                                                                                            Imagebase:0x7e0000
                                                                                            File size:9'615'883 bytes
                                                                                            MD5 hash:B4A5718734EB335D7863F26F88508EAE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:Borland Delphi
                                                                                            Reputation:low
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:6
                                                                                            Start time:22:32:01
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Users\user\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user~1\AppData\Local\Temp\is-MTK1S.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.tmp" /SL5="$10412,8661598,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe" /VERYSILENT
                                                                                            Imagebase:0x90000
                                                                                            File size:3'366'912 bytes
                                                                                            MD5 hash:200D5FBEB088D930F68C926A324CF1A1
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:Borland Delphi
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:7
                                                                                            Start time:22:32:04
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:8
                                                                                            Start time:22:32:04
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:9
                                                                                            Start time:22:32:04
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:10
                                                                                            Start time:22:32:04
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                                                                            Imagebase:0xb90000
                                                                                            File size:831'200 bytes
                                                                                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Antivirus matches:
                                                                                            • Detection: 0%, ReversingLabs
                                                                                            • Detection: 0%, Virustotal, Browse
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:11
                                                                                            Start time:22:32:04
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:12
                                                                                            Start time:22:32:04
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                            Imagebase:0x7ff7b4ee0000
                                                                                            File size:55'320 bytes
                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:13
                                                                                            Start time:22:32:04
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                            Imagebase:0x7ff7b4ee0000
                                                                                            File size:55'320 bytes
                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:14
                                                                                            Start time:22:32:06
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\SgrmBroker.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                            Imagebase:0x7ff66b970000
                                                                                            File size:329'504 bytes
                                                                                            MD5 hash:3BA1A18A0DC30A0545E7765CB97D8E63
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:15
                                                                                            Start time:22:32:06
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                                                                            Imagebase:0xb90000
                                                                                            File size:831'200 bytes
                                                                                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:16
                                                                                            Start time:22:32:06
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:17
                                                                                            Start time:22:32:06
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                            Imagebase:0x7ff7b4ee0000
                                                                                            File size:55'320 bytes
                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:18
                                                                                            Start time:22:32:07
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                            Imagebase:0x7ff7fb730000
                                                                                            File size:496'640 bytes
                                                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:19
                                                                                            Start time:22:32:07
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:20
                                                                                            Start time:22:32:07
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:21
                                                                                            Start time:22:32:07
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:22
                                                                                            Start time:22:32:07
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                            Imagebase:0x7ff7b4ee0000
                                                                                            File size:55'320 bytes
                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:23
                                                                                            Start time:22:32:07
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:24
                                                                                            Start time:22:32:07
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:25
                                                                                            Start time:22:32:07
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:26
                                                                                            Start time:22:32:07
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:27
                                                                                            Start time:22:32:07
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:28
                                                                                            Start time:22:32:07
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:29
                                                                                            Start time:22:32:07
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:30
                                                                                            Start time:22:32:07
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:31
                                                                                            Start time:22:32:07
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:32
                                                                                            Start time:22:32:07
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:33
                                                                                            Start time:22:32:07
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:34
                                                                                            Start time:22:32:07
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:35
                                                                                            Start time:22:32:07
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:36
                                                                                            Start time:22:32:07
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:37
                                                                                            Start time:22:32:07
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:38
                                                                                            Start time:22:32:08
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:39
                                                                                            Start time:22:32:08
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:40
                                                                                            Start time:22:32:08
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:41
                                                                                            Start time:22:32:08
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:42
                                                                                            Start time:22:32:08
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:43
                                                                                            Start time:22:32:08
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:44
                                                                                            Start time:22:32:08
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:45
                                                                                            Start time:22:32:08
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:46
                                                                                            Start time:22:32:08
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:47
                                                                                            Start time:22:32:08
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:48
                                                                                            Start time:22:32:08
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:49
                                                                                            Start time:22:32:08
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:50
                                                                                            Start time:22:32:08
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:51
                                                                                            Start time:22:32:08
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:52
                                                                                            Start time:22:32:08
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:53
                                                                                            Start time:22:32:08
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:54
                                                                                            Start time:22:32:08
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:55
                                                                                            Start time:22:32:08
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:56
                                                                                            Start time:22:32:08
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:57
                                                                                            Start time:22:32:08
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:58
                                                                                            Start time:22:32:08
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:59
                                                                                            Start time:22:32:09
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:60
                                                                                            Start time:22:32:09
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:61
                                                                                            Start time:22:32:09
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:62
                                                                                            Start time:22:32:09
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                                                            Imagebase:0x7ff7b4ee0000
                                                                                            File size:55'320 bytes
                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:63
                                                                                            Start time:22:32:09
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:64
                                                                                            Start time:22:32:09
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:65
                                                                                            Start time:22:32:09
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:66
                                                                                            Start time:22:32:09
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:67
                                                                                            Start time:22:32:09
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:68
                                                                                            Start time:22:32:09
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:69
                                                                                            Start time:22:32:09
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:70
                                                                                            Start time:22:32:09
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:71
                                                                                            Start time:22:32:09
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:72
                                                                                            Start time:22:32:09
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:73
                                                                                            Start time:22:32:09
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:74
                                                                                            Start time:22:32:09
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:75
                                                                                            Start time:22:32:09
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:76
                                                                                            Start time:22:32:09
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:77
                                                                                            Start time:22:32:09
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:78
                                                                                            Start time:22:32:10
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:79
                                                                                            Start time:22:32:10
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:80
                                                                                            Start time:22:32:10
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:81
                                                                                            Start time:22:32:10
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:82
                                                                                            Start time:22:32:10
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:83
                                                                                            Start time:22:32:10
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:84
                                                                                            Start time:22:32:10
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:85
                                                                                            Start time:22:32:10
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:86
                                                                                            Start time:22:32:10
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:87
                                                                                            Start time:22:32:10
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:88
                                                                                            Start time:22:32:10
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:89
                                                                                            Start time:22:32:10
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:90
                                                                                            Start time:22:32:10
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:91
                                                                                            Start time:22:32:10
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:92
                                                                                            Start time:22:32:10
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:93
                                                                                            Start time:22:32:10
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:94
                                                                                            Start time:22:32:10
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\sc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:sc start CleverSoar
                                                                                            Imagebase:0x7ff7d3870000
                                                                                            File size:72'192 bytes
                                                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:95
                                                                                            Start time:22:32:11
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff75da10000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:96
                                                                                            Start time:22:32:11
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:cmd /c start sc start CleverSoar
                                                                                            Imagebase:0x7ff6f70b0000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:272
                                                                                            Start time:22:32:19
                                                                                            Start date:24/12/2024
                                                                                            Path:C:\Windows\System32\Conhost.exe
                                                                                            Wow64 process (32bit):
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:
                                                                                            Has administrator privileges:
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:false

                                                                                            Disassembly

                                                                                            Reset < >

                                                                                              Execution Graph

                                                                                              Execution Coverage:1.4%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:4.9%
                                                                                              Total number of Nodes:739
                                                                                              Total number of Limit Nodes:9
                                                                                              execution_graph 90915 6d0101c3 90916 6d0101ed 90915->90916 90917 6d0101d5 __dosmaperr 90915->90917 90916->90917 90918 6d010267 90916->90918 90920 6d010238 __dosmaperr 90916->90920 90921 6d010280 90918->90921 90923 6d0102d7 __wsopen_s 90918->90923 90924 6d01029b __dosmaperr 90918->90924 90962 6d003810 18 API calls __wsopen_s 90920->90962 90922 6d010285 90921->90922 90921->90924 90950 6d0150d5 90922->90950 90956 6d007eab HeapFree GetLastError __dosmaperr 90923->90956 90955 6d003810 18 API calls __wsopen_s 90924->90955 90927 6d01042e 90930 6d0104a4 90927->90930 90933 6d010447 GetConsoleMode 90927->90933 90928 6d0102f7 90957 6d007eab HeapFree GetLastError __dosmaperr 90928->90957 90932 6d0104a8 ReadFile 90930->90932 90935 6d0104c2 90932->90935 90936 6d01051c GetLastError 90932->90936 90933->90930 90937 6d010458 90933->90937 90934 6d0102fe 90947 6d0102b2 __dosmaperr __wsopen_s 90934->90947 90958 6d00e359 20 API calls __wsopen_s 90934->90958 90935->90936 90938 6d010499 90935->90938 90936->90947 90937->90932 90939 6d01045e ReadConsoleW 90937->90939 90943 6d0104e7 90938->90943 90944 6d0104fe 90938->90944 90938->90947 90939->90938 90942 6d01047a GetLastError 90939->90942 90942->90947 90960 6d0105ee 23 API calls 3 library calls 90943->90960 90945 6d010515 90944->90945 90944->90947 90961 6d0108a6 21 API calls __wsopen_s 90945->90961 90959 6d007eab HeapFree GetLastError __dosmaperr 90947->90959 90949 6d01051a 90949->90947 90952 6d0150e2 90950->90952 90953 6d0150ef 90950->90953 90951 6d0150fb 90951->90927 90952->90927 90953->90951 90963 6d003810 18 API calls __wsopen_s 90953->90963 90955->90947 90956->90928 90957->90934 90958->90922 90959->90917 90960->90947 90961->90949 90962->90917 90963->90952 90964 6ce74b53 91122 6cffa133 90964->91122 90966 6ce74b5c _Yarn 91136 6cfee090 90966->91136 90968 6ce9639e 91227 6d003820 18 API calls 2 library calls 90968->91227 90970 6ce74cff 90971 6ce75164 CreateFileA CloseHandle 90976 6ce751ec 90971->90976 90972 6ce74bae std::ios_base::_Ios_base_dtor 90972->90968 90972->90970 90972->90971 90973 6ce8245a _Yarn _strlen 90972->90973 90973->90968 90974 6cfee090 FindFirstFileA 90973->90974 90989 6ce82a83 std::ios_base::_Ios_base_dtor 90974->90989 91140 6cff8810 OpenSCManagerA 90976->91140 90978 6ce7fc00 91219 6cff8930 CreateToolhelp32Snapshot 90978->91219 90981 6cffa133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 91017 6ce75478 std::ios_base::_Ios_base_dtor _Yarn _strlen 90981->91017 90983 6ce837d0 Sleep 91028 6ce837e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 90983->91028 90984 6cfee090 FindFirstFileA 90984->91017 90985 6ce963b2 91228 6ce715e0 18 API calls std::ios_base::_Ios_base_dtor 90985->91228 90986 6cff8930 4 API calls 91003 6ce8053a 90986->91003 90987 6cff8930 4 API calls 91013 6ce812e2 90987->91013 90989->90968 91144 6cfe0880 90989->91144 90990 6ce964f8 90991 6ce7ffe3 90991->90986 90995 6ce80abc 90991->90995 90992 6ce96ba0 104 API calls 90992->91017 90993 6ce96e60 32 API calls 90993->91017 90995->90973 90995->90987 90997 6cff8930 4 API calls 90997->90995 90998 6ce8211c 90998->90973 91001 6ce8241a 90998->91001 90999 6cff8930 4 API calls 91019 6ce81dd9 90999->91019 91004 6cfe0880 10 API calls 91001->91004 91002 6cfee090 FindFirstFileA 91002->91028 91003->90995 91003->90997 91006 6ce8244d 91004->91006 91005 6ce76722 91195 6cff4860 25 API calls 4 library calls 91005->91195 91225 6cff9450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 91006->91225 91008 6ce82452 Sleep 91008->90973 91009 6ce816ac 91010 6ce76162 91011 6ce7740b 91196 6cff86e0 CreateProcessA 91011->91196 91013->90998 91013->90999 91013->91009 91014 6cff8930 4 API calls 91014->90998 91017->90968 91017->90978 91017->90981 91017->90984 91017->90992 91017->90993 91017->91005 91017->91010 91181 6ce97090 91017->91181 91194 6cebe010 67 API calls 91017->91194 91018 6ce97090 77 API calls 91018->91028 91019->90998 91019->91014 91021 6ce7775a _strlen 91021->90968 91022 6ce77b92 91021->91022 91023 6ce77ba9 91021->91023 91026 6ce77b43 _Yarn 91021->91026 91024 6cffa133 std::_Facet_Register 4 API calls 91022->91024 91025 6cffa133 std::_Facet_Register 4 API calls 91023->91025 91024->91026 91025->91026 91027 6cfee090 FindFirstFileA 91026->91027 91036 6ce77be7 std::ios_base::_Ios_base_dtor 91027->91036 91028->90968 91028->91002 91028->91018 91152 6ce96ba0 91028->91152 91171 6ce96e60 91028->91171 91226 6cebe010 67 API calls 91028->91226 91029 6cff86e0 4 API calls 91040 6ce78a07 91029->91040 91030 6ce79d7f 91033 6cffa133 std::_Facet_Register 4 API calls 91030->91033 91031 6ce79d68 91032 6cffa133 std::_Facet_Register 4 API calls 91031->91032 91034 6ce79d18 _Yarn 91032->91034 91033->91034 91035 6cfee090 FindFirstFileA 91034->91035 91045 6ce79dbd std::ios_base::_Ios_base_dtor 91035->91045 91036->90968 91036->91029 91037 6ce7962c _strlen 91036->91037 91038 6ce78387 91036->91038 91037->90968 91037->91030 91037->91031 91037->91034 91039 6cff86e0 4 API calls 91050 6ce79120 91039->91050 91040->91039 91041 6cff86e0 4 API calls 91058 6ce7a215 _strlen 91041->91058 91042 6cff86e0 4 API calls 91044 6ce79624 91042->91044 91043 6cffa133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 91051 6ce7e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 91043->91051 91200 6cff9450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 91044->91200 91045->90968 91045->91041 91045->91051 91047 6cfee090 FindFirstFileA 91047->91051 91048 6ce7ed02 Sleep 91070 6ce7e8c1 91048->91070 91049 6ce7f7b1 91218 6cff9450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 91049->91218 91050->91042 91051->90968 91051->91043 91051->91047 91051->91048 91051->91049 91053 6ce7e8dd GetCurrentProcess TerminateProcess 91053->91051 91054 6ce7a9a4 91056 6cffa133 std::_Facet_Register 4 API calls 91054->91056 91055 6ce7a9bb 91057 6cffa133 std::_Facet_Register 4 API calls 91055->91057 91065 6ce7a953 _Yarn _strlen 91056->91065 91057->91065 91058->90968 91058->91054 91058->91055 91058->91065 91059 6cff86e0 4 API calls 91059->91070 91060 6ce7fbb8 91061 6ce7fbe8 ExitWindowsEx Sleep 91060->91061 91061->90978 91062 6ce7f7c0 91062->91060 91063 6ce7aff0 91066 6cffa133 std::_Facet_Register 4 API calls 91063->91066 91064 6ce7b009 91067 6cffa133 std::_Facet_Register 4 API calls 91064->91067 91065->90985 91065->91063 91065->91064 91068 6ce7afa0 _Yarn 91065->91068 91066->91068 91067->91068 91201 6cff9050 91068->91201 91070->91051 91070->91053 91070->91059 91071 6ce7b443 91075 6cffa133 std::_Facet_Register 4 API calls 91071->91075 91072 6ce7b42c 91074 6cffa133 std::_Facet_Register 4 API calls 91072->91074 91073 6ce7b059 std::ios_base::_Ios_base_dtor _strlen 91073->90968 91073->91071 91073->91072 91076 6ce7b3da _Yarn _strlen 91073->91076 91074->91076 91075->91076 91076->90985 91077 6ce7b7b7 91076->91077 91078 6ce7b79e 91076->91078 91081 6ce7b751 _Yarn 91076->91081 91080 6cffa133 std::_Facet_Register 4 API calls 91077->91080 91079 6cffa133 std::_Facet_Register 4 API calls 91078->91079 91079->91081 91080->91081 91082 6cff9050 104 API calls 91081->91082 91083 6ce7b804 std::ios_base::_Ios_base_dtor _strlen 91082->91083 91083->90968 91084 6ce7bc26 91083->91084 91085 6ce7bc0f 91083->91085 91088 6ce7bbbd _Yarn _strlen 91083->91088 91087 6cffa133 std::_Facet_Register 4 API calls 91084->91087 91086 6cffa133 std::_Facet_Register 4 API calls 91085->91086 91086->91088 91087->91088 91088->90985 91089 6ce7c075 91088->91089 91090 6ce7c08e 91088->91090 91093 6ce7c028 _Yarn 91088->91093 91091 6cffa133 std::_Facet_Register 4 API calls 91089->91091 91092 6cffa133 std::_Facet_Register 4 API calls 91090->91092 91091->91093 91092->91093 91094 6cff9050 104 API calls 91093->91094 91099 6ce7c0db std::ios_base::_Ios_base_dtor _strlen 91094->91099 91095 6ce7c7a5 91097 6cffa133 std::_Facet_Register 4 API calls 91095->91097 91096 6ce7c7bc 91098 6cffa133 std::_Facet_Register 4 API calls 91096->91098 91106 6ce7c753 _Yarn _strlen 91097->91106 91098->91106 91099->90968 91099->91095 91099->91096 91099->91106 91100 6ce7d406 91103 6cffa133 std::_Facet_Register 4 API calls 91100->91103 91101 6ce7d3ed 91102 6cffa133 std::_Facet_Register 4 API calls 91101->91102 91104 6ce7d39a _Yarn 91102->91104 91103->91104 91105 6cff9050 104 API calls 91104->91105 91107 6ce7d458 std::ios_base::_Ios_base_dtor _strlen 91105->91107 91106->90985 91106->91100 91106->91101 91106->91104 91112 6ce7cb2f 91106->91112 91107->90968 91108 6ce7d8a4 91107->91108 91109 6ce7d8bb 91107->91109 91113 6ce7d852 _Yarn _strlen 91107->91113 91110 6cffa133 std::_Facet_Register 4 API calls 91108->91110 91111 6cffa133 std::_Facet_Register 4 API calls 91109->91111 91110->91113 91111->91113 91113->90985 91114 6ce7dcb6 91113->91114 91115 6ce7dccf 91113->91115 91118 6ce7dc69 _Yarn 91113->91118 91116 6cffa133 std::_Facet_Register 4 API calls 91114->91116 91117 6cffa133 std::_Facet_Register 4 API calls 91115->91117 91116->91118 91117->91118 91119 6cff9050 104 API calls 91118->91119 91121 6ce7dd1c std::ios_base::_Ios_base_dtor 91119->91121 91120 6cff86e0 4 API calls 91120->91051 91121->90968 91121->91120 91123 6cffa138 91122->91123 91124 6cffa152 91123->91124 91127 6cffa154 std::_Facet_Register 91123->91127 91229 6d002704 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 91123->91229 91124->90966 91126 6cffafb3 std::_Facet_Register 91233 6cffca69 RaiseException 91126->91233 91127->91126 91230 6cffca69 RaiseException 91127->91230 91129 6cffb7ac IsProcessorFeaturePresent 91134 6cffb7d1 91129->91134 91131 6cffaf73 91231 6cffca69 RaiseException 91131->91231 91133 6cffaf93 std::invalid_argument::invalid_argument 91232 6cffca69 RaiseException 91133->91232 91134->90966 91137 6cfee0a6 FindFirstFileA 91136->91137 91138 6cfee0a4 91136->91138 91139 6cfee0e0 91137->91139 91138->91137 91139->90972 91141 6cff8846 91140->91141 91142 6cff88be OpenServiceA 91141->91142 91143 6cff8922 91141->91143 91142->91141 91143->91017 91149 6cfe0893 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 91144->91149 91145 6cfe4e71 CloseHandle 91145->91149 91146 6cfe3bd1 CloseHandle 91146->91149 91147 6ce837cb 91151 6cff9450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 91147->91151 91148 6cfccea0 WriteFile ReadFile WriteFile WriteFile 91148->91149 91149->91145 91149->91146 91149->91147 91149->91148 91234 6cfcc390 91149->91234 91151->90983 91153 6ce96bd5 91152->91153 91245 6cec2020 91153->91245 91155 6ce96c68 91156 6cffa133 std::_Facet_Register 4 API calls 91155->91156 91157 6ce96ca0 91156->91157 91262 6cffaa17 91157->91262 91159 6ce96cb4 91274 6cec1d90 91159->91274 91162 6ce96d8e 91162->91028 91164 6ce96dc8 91282 6cec26e0 24 API calls 4 library calls 91164->91282 91166 6ce96dda 91283 6cffca69 RaiseException 91166->91283 91168 6ce96def 91284 6cebe010 67 API calls 91168->91284 91170 6ce96e0f 91170->91028 91172 6ce96e9f 91171->91172 91175 6ce96eb3 91172->91175 91674 6cec3560 32 API calls std::_Xinvalid_argument 91172->91674 91178 6ce96f5b 91175->91178 91676 6cec2250 30 API calls 91175->91676 91677 6cec26e0 24 API calls 4 library calls 91175->91677 91678 6cffca69 RaiseException 91175->91678 91177 6ce96f6e 91177->91028 91178->91177 91675 6cec37e0 32 API calls std::_Xinvalid_argument 91178->91675 91182 6ce9709e 91181->91182 91186 6ce970d1 91181->91186 91679 6cec01f0 91182->91679 91184 6ce97183 91184->91017 91186->91184 91683 6cec2250 30 API calls 91186->91683 91187 6d004208 67 API calls 91187->91186 91189 6ce971ae 91684 6cec2340 24 API calls 91189->91684 91191 6ce971be 91685 6cffca69 RaiseException 91191->91685 91193 6ce971c9 91194->91017 91195->91011 91198 6cff8770 91196->91198 91197 6cff87b0 WaitForSingleObject CloseHandle CloseHandle 91197->91198 91198->91197 91199 6cff87a4 91198->91199 91199->91021 91200->91037 91202 6cff90a7 91201->91202 91731 6cff96e0 91202->91731 91204 6cff90b8 91205 6ce96ba0 104 API calls 91204->91205 91209 6cff90dc 91205->91209 91207 6cff918f std::ios_base::_Ios_base_dtor 91784 6cebe010 67 API calls 91207->91784 91211 6cff9144 91209->91211 91217 6cff9157 91209->91217 91750 6cff9a30 91209->91750 91758 6ced3010 91209->91758 91768 6cff9280 91211->91768 91212 6cff91d2 std::ios_base::_Ios_base_dtor 91212->91073 91215 6cff914c 91216 6ce97090 77 API calls 91215->91216 91216->91217 91783 6cebe010 67 API calls 91217->91783 91218->91062 91222 6cff8966 std::locale::_Setgloballocale 91219->91222 91220 6cff8a64 Process32NextW 91220->91222 91221 6cff8a14 CloseHandle 91221->91222 91222->91220 91222->91221 91223 6cff8a45 Process32FirstW 91222->91223 91224 6cff8a96 91222->91224 91223->91222 91224->90991 91225->91008 91226->91028 91228->90990 91229->91123 91230->91131 91231->91133 91232->91126 91233->91129 91235 6cfcc3a3 _Yarn __wsopen_s std::locale::_Setgloballocale 91234->91235 91236 6cfcce3c 91235->91236 91237 6cfccab9 CreateFileA 91235->91237 91239 6cfcb4d0 91235->91239 91236->91149 91237->91235 91240 6cfcb4e3 __wsopen_s std::locale::_Setgloballocale 91239->91240 91241 6cfcc206 WriteFile 91240->91241 91242 6cfcb619 WriteFile 91240->91242 91243 6cfcc377 91240->91243 91244 6cfcbc23 ReadFile 91240->91244 91241->91240 91242->91240 91243->91235 91244->91240 91246 6cffa133 std::_Facet_Register 4 API calls 91245->91246 91247 6cec207e 91246->91247 91248 6cffaa17 43 API calls 91247->91248 91249 6cec2092 91248->91249 91285 6cec2f60 42 API calls 4 library calls 91249->91285 91251 6cec210d 91254 6cec2120 91251->91254 91286 6cffa67e 9 API calls 2 library calls 91251->91286 91252 6cec20c8 91252->91251 91253 6cec2136 91252->91253 91287 6cec2250 30 API calls 91253->91287 91254->91155 91257 6cec215b 91288 6cec2340 24 API calls 91257->91288 91259 6cec2171 91289 6cffca69 RaiseException 91259->91289 91261 6cec217c 91261->91155 91263 6cffaa23 __EH_prolog3 91262->91263 91290 6cffa5a5 91263->91290 91266 6cffaa5f 91296 6cffa5d6 91266->91296 91269 6cffaa41 91304 6cffaaaa 39 API calls std::locale::_Setgloballocale 91269->91304 91271 6cffaa49 91305 6cffa8a1 HeapFree GetLastError _Yarn ___std_exception_destroy 91271->91305 91272 6cffaa9c 91272->91159 91275 6cec1ddc 91274->91275 91276 6ce96d5d 91274->91276 91310 6cffab37 91275->91310 91276->91162 91281 6cec2250 30 API calls 91276->91281 91280 6cec1e82 91281->91164 91282->91166 91283->91168 91284->91170 91285->91252 91286->91254 91287->91257 91288->91259 91289->91261 91291 6cffa5bb 91290->91291 91292 6cffa5b4 91290->91292 91294 6cffa5b9 91291->91294 91307 6cffbc7b EnterCriticalSection 91291->91307 91306 6d003abd 6 API calls std::_Lockit::_Lockit 91292->91306 91294->91266 91303 6cffa920 6 API calls 2 library calls 91294->91303 91297 6d003acb 91296->91297 91298 6cffa5e0 91296->91298 91309 6d003aa6 LeaveCriticalSection 91297->91309 91299 6cffa5f3 91298->91299 91308 6cffbc89 LeaveCriticalSection 91298->91308 91299->91272 91302 6d003ad2 91302->91272 91303->91269 91304->91271 91305->91266 91306->91294 91307->91294 91308->91299 91309->91302 91311 6cffab40 91310->91311 91312 6cec1dea 91311->91312 91319 6d00343a 91311->91319 91312->91276 91318 6cfffc53 18 API calls __wsopen_s 91312->91318 91314 6cffab8c 91314->91312 91330 6d003148 65 API calls 91314->91330 91316 6cffaba7 91316->91312 91331 6d004208 91316->91331 91318->91280 91321 6d003445 __wsopen_s 91319->91321 91320 6d003458 91356 6d003810 18 API calls __wsopen_s 91320->91356 91321->91320 91322 6d003478 91321->91322 91326 6d003468 91322->91326 91342 6d00e4fc 91322->91342 91326->91314 91330->91316 91332 6d004214 __wsopen_s 91331->91332 91333 6d004233 91332->91333 91334 6d00421e 91332->91334 91338 6d00422e 91333->91338 91537 6cfffc99 EnterCriticalSection 91333->91537 91552 6d003810 18 API calls __wsopen_s 91334->91552 91336 6d004250 91538 6d00428c 91336->91538 91338->91312 91340 6d00425b 91553 6d004282 LeaveCriticalSection 91340->91553 91343 6d00e508 __wsopen_s 91342->91343 91358 6d003a8f EnterCriticalSection 91343->91358 91345 6d00e516 91359 6d00e5a0 91345->91359 91350 6d00e662 91351 6d00e781 91350->91351 91383 6d00e804 91351->91383 91354 6d0034bc 91357 6d0034e5 LeaveCriticalSection 91354->91357 91356->91326 91357->91326 91358->91345 91366 6d00e5c3 91359->91366 91360 6d00e61b 91378 6d00a8d5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 91360->91378 91363 6d00e624 91379 6d007eab HeapFree GetLastError __dosmaperr 91363->91379 91365 6d00e62d 91368 6d00e523 91365->91368 91380 6d00a30f 6 API calls std::_Lockit::_Lockit 91365->91380 91366->91360 91366->91366 91366->91368 91376 6cfffc99 EnterCriticalSection 91366->91376 91377 6cfffcad LeaveCriticalSection 91366->91377 91373 6d00e55c 91368->91373 91369 6d00e64c 91381 6cfffc99 EnterCriticalSection 91369->91381 91372 6d00e65f 91372->91368 91382 6d003aa6 LeaveCriticalSection 91373->91382 91375 6d003493 91375->91326 91375->91350 91376->91366 91377->91366 91378->91363 91379->91365 91380->91369 91381->91372 91382->91375 91384 6d00e823 91383->91384 91385 6d00e836 91384->91385 91387 6d00e84b 91384->91387 91399 6d003810 18 API calls __wsopen_s 91385->91399 91394 6d00e96b 91387->91394 91400 6d017598 37 API calls __wsopen_s 91387->91400 91388 6d00e797 91388->91354 91396 6d0176ce 91388->91396 91391 6d00e9bb 91391->91394 91401 6d017598 37 API calls __wsopen_s 91391->91401 91393 6d00e9d9 91393->91394 91402 6d017598 37 API calls __wsopen_s 91393->91402 91394->91388 91403 6d003810 18 API calls __wsopen_s 91394->91403 91404 6d017a86 91396->91404 91399->91388 91400->91391 91401->91393 91402->91394 91403->91388 91406 6d017a92 __wsopen_s 91404->91406 91405 6d017a99 91422 6d003810 18 API calls __wsopen_s 91405->91422 91406->91405 91407 6d017ac4 91406->91407 91413 6d0176ee 91407->91413 91412 6d0176e9 91412->91354 91424 6d003dbb 91413->91424 91419 6d017724 91420 6d017756 91419->91420 91464 6d007eab HeapFree GetLastError __dosmaperr 91419->91464 91423 6d017b1b LeaveCriticalSection __wsopen_s 91420->91423 91422->91412 91423->91412 91465 6cfff3db 91424->91465 91426 6d003ddf 91429 6cfff4e6 91426->91429 91474 6cfff53e 91429->91474 91431 6cfff4fe 91431->91419 91432 6d01775c 91431->91432 91489 6d017bdc 91432->91489 91438 6d01778e __dosmaperr 91438->91419 91439 6d017882 GetFileType 91440 6d0178d4 91439->91440 91441 6d01788d GetLastError 91439->91441 91519 6d014ea0 SetStdHandle __dosmaperr __wsopen_s 91440->91519 91518 6d0030e2 __dosmaperr 91441->91518 91442 6d017857 GetLastError 91442->91438 91443 6d017805 91443->91439 91443->91442 91517 6d017b47 CreateFileW 91443->91517 91446 6d01789b CloseHandle 91446->91438 91461 6d0178c4 91446->91461 91447 6d01784a 91447->91439 91447->91442 91449 6d0178f5 91450 6d017941 91449->91450 91520 6d017d56 70 API calls 2 library calls 91449->91520 91454 6d017948 91450->91454 91534 6d017e00 70 API calls 2 library calls 91450->91534 91453 6d017976 91453->91454 91455 6d017984 91453->91455 91521 6d00f015 91454->91521 91455->91438 91457 6d017a00 CloseHandle 91455->91457 91535 6d017b47 CreateFileW 91457->91535 91459 6d017a2b 91460 6d017a35 GetLastError 91459->91460 91459->91461 91462 6d017a41 __dosmaperr 91460->91462 91461->91438 91536 6d014e0f SetStdHandle __dosmaperr __wsopen_s 91462->91536 91464->91420 91466 6cfff3fb 91465->91466 91467 6cfff3f2 91465->91467 91466->91467 91468 6d0080a2 __Getctype 37 API calls 91466->91468 91467->91426 91473 6d00a0c5 5 API calls std::_Lockit::_Lockit 91467->91473 91469 6cfff41b 91468->91469 91470 6d008618 __Getctype 37 API calls 91469->91470 91471 6cfff431 91470->91471 91472 6d008645 __cftoe 37 API calls 91471->91472 91472->91467 91473->91426 91475 6cfff54c 91474->91475 91476 6cfff566 91474->91476 91479 6cfff4cc __wsopen_s HeapFree GetLastError 91475->91479 91477 6cfff56d 91476->91477 91478 6cfff58c 91476->91478 91481 6cfff48d __wsopen_s HeapFree GetLastError 91477->91481 91488 6cfff556 __dosmaperr 91477->91488 91480 6d007f33 __fassign MultiByteToWideChar 91478->91480 91479->91488 91482 6cfff59b 91480->91482 91481->91488 91483 6cfff5a2 GetLastError 91482->91483 91484 6cfff5c8 91482->91484 91485 6cfff48d __wsopen_s HeapFree GetLastError 91482->91485 91483->91488 91486 6d007f33 __fassign MultiByteToWideChar 91484->91486 91484->91488 91485->91484 91487 6cfff5df 91486->91487 91487->91483 91487->91488 91488->91431 91490 6d017c17 91489->91490 91492 6d017bfd 91489->91492 91491 6d017b6c __wsopen_s 18 API calls 91490->91491 91496 6d017c4f 91491->91496 91492->91490 91493 6d003810 __wsopen_s 18 API calls 91492->91493 91493->91490 91494 6d017c7e 91495 6d019001 __wsopen_s 18 API calls 91494->91495 91502 6d017779 91494->91502 91497 6d017ccc 91495->91497 91496->91494 91499 6d003810 __wsopen_s 18 API calls 91496->91499 91498 6d017d49 91497->91498 91497->91502 91500 6d00383d __Getctype 11 API calls 91498->91500 91499->91494 91501 6d017d55 91500->91501 91502->91438 91503 6d014cfc 91502->91503 91504 6d014d08 __wsopen_s 91503->91504 91505 6d003a8f std::_Lockit::_Lockit EnterCriticalSection 91504->91505 91512 6d014d0f 91505->91512 91506 6d014d56 91508 6d014e06 __wsopen_s LeaveCriticalSection 91506->91508 91507 6d014d34 91509 6d014f32 __wsopen_s 11 API calls 91507->91509 91510 6d014d76 91508->91510 91511 6d014d39 91509->91511 91510->91438 91516 6d017b47 CreateFileW 91510->91516 91511->91506 91514 6d015080 __wsopen_s EnterCriticalSection 91511->91514 91512->91506 91512->91507 91513 6d014da3 EnterCriticalSection 91512->91513 91513->91506 91515 6d014db0 LeaveCriticalSection 91513->91515 91514->91506 91515->91512 91516->91443 91517->91447 91518->91446 91519->91449 91520->91450 91522 6d014c92 __wsopen_s 18 API calls 91521->91522 91524 6d00f025 91522->91524 91523 6d00f02b 91525 6d014e0f __wsopen_s SetStdHandle 91523->91525 91524->91523 91526 6d00f05d 91524->91526 91528 6d014c92 __wsopen_s 18 API calls 91524->91528 91533 6d00f083 __dosmaperr 91525->91533 91526->91523 91527 6d014c92 __wsopen_s 18 API calls 91526->91527 91529 6d00f069 CloseHandle 91527->91529 91530 6d00f054 91528->91530 91529->91523 91531 6d00f075 GetLastError 91529->91531 91532 6d014c92 __wsopen_s 18 API calls 91530->91532 91531->91523 91532->91526 91533->91438 91534->91453 91535->91459 91536->91461 91537->91336 91539 6d004299 91538->91539 91540 6d0042ae 91538->91540 91576 6d003810 18 API calls __wsopen_s 91539->91576 91545 6d0042a9 91540->91545 91554 6d0043a9 91540->91554 91545->91340 91548 6d0042d1 91569 6d00ef88 91548->91569 91550 6d0042d7 91550->91545 91577 6d007eab HeapFree GetLastError __dosmaperr 91550->91577 91552->91338 91553->91338 91555 6d0043c1 91554->91555 91559 6d0042c3 91554->91559 91556 6d00d350 18 API calls 91555->91556 91555->91559 91557 6d0043df 91556->91557 91578 6d00f25c 91557->91578 91560 6d00be2e 91559->91560 91561 6d00be45 91560->91561 91563 6d0042cb 91560->91563 91561->91563 91661 6d007eab HeapFree GetLastError __dosmaperr 91561->91661 91564 6d00d350 91563->91564 91565 6d00d371 91564->91565 91566 6d00d35c 91564->91566 91565->91548 91662 6d003810 18 API calls __wsopen_s 91566->91662 91568 6d00d36c 91568->91548 91570 6d00efae 91569->91570 91574 6d00ef99 __dosmaperr 91569->91574 91571 6d00efd5 91570->91571 91573 6d00eff7 __dosmaperr 91570->91573 91663 6d00f0b1 91571->91663 91671 6d003810 18 API calls __wsopen_s 91573->91671 91574->91550 91576->91545 91577->91545 91579 6d00f268 __wsopen_s 91578->91579 91580 6d00f2ba 91579->91580 91582 6d00f323 __dosmaperr 91579->91582 91585 6d00f270 __dosmaperr 91579->91585 91589 6d015080 EnterCriticalSection 91580->91589 91619 6d003810 18 API calls __wsopen_s 91582->91619 91583 6d00f2c0 91587 6d00f2dc __dosmaperr 91583->91587 91590 6d00f34e 91583->91590 91585->91559 91618 6d00f31b LeaveCriticalSection __wsopen_s 91587->91618 91589->91583 91591 6d00f370 91590->91591 91617 6d00f38c __dosmaperr 91590->91617 91592 6d00f3c4 91591->91592 91593 6d00f374 __dosmaperr 91591->91593 91594 6d00f3d7 91592->91594 91628 6d00e359 20 API calls __wsopen_s 91592->91628 91627 6d003810 18 API calls __wsopen_s 91593->91627 91620 6d00f530 91594->91620 91599 6d00f42c 91603 6d00f440 91599->91603 91604 6d00f485 WriteFile 91599->91604 91600 6d00f3ed 91601 6d00f3f1 91600->91601 91602 6d00f416 91600->91602 91601->91617 91629 6d00f94b 6 API calls __wsopen_s 91601->91629 91630 6d00f5a1 43 API calls 5 library calls 91602->91630 91607 6d00f475 91603->91607 91608 6d00f44b 91603->91608 91606 6d00f4a9 GetLastError 91604->91606 91604->91617 91606->91617 91633 6d00f9b3 7 API calls 2 library calls 91607->91633 91611 6d00f450 91608->91611 91612 6d00f465 91608->91612 91613 6d00f455 91611->91613 91611->91617 91632 6d00fb77 8 API calls 3 library calls 91612->91632 91631 6d00fa8e 7 API calls 2 library calls 91613->91631 91615 6d00f463 91615->91617 91617->91587 91618->91585 91619->91585 91621 6d0150d5 __wsopen_s 18 API calls 91620->91621 91622 6d00f541 91621->91622 91623 6d00f3e8 91622->91623 91634 6d0080a2 GetLastError 91622->91634 91623->91599 91623->91600 91626 6d00f57e GetConsoleMode 91626->91623 91627->91617 91628->91594 91629->91617 91630->91617 91631->91615 91632->91615 91633->91615 91635 6d0080bf 91634->91635 91636 6d0080b9 91634->91636 91637 6d00a252 __Getctype 6 API calls 91635->91637 91641 6d0080c5 SetLastError 91635->91641 91638 6d00a213 __Getctype 6 API calls 91636->91638 91639 6d0080dd 91637->91639 91638->91635 91640 6d0080e1 91639->91640 91639->91641 91642 6d00a8d5 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 91640->91642 91647 6d008153 91641->91647 91648 6d008159 91641->91648 91644 6d0080ed 91642->91644 91645 6d0080f5 91644->91645 91646 6d00810c 91644->91646 91649 6d00a252 __Getctype 6 API calls 91645->91649 91651 6d00a252 __Getctype 6 API calls 91646->91651 91647->91623 91647->91626 91650 6d0041b9 __Getctype 35 API calls 91648->91650 91653 6d008103 91649->91653 91654 6d00815e 91650->91654 91652 6d008118 91651->91652 91655 6d00811c 91652->91655 91656 6d00812d 91652->91656 91658 6d007eab _free HeapFree GetLastError 91653->91658 91657 6d00a252 __Getctype 6 API calls 91655->91657 91660 6d007eab _free HeapFree GetLastError 91656->91660 91657->91653 91659 6d008109 91658->91659 91659->91641 91660->91659 91661->91563 91662->91568 91664 6d00f0bd __wsopen_s 91663->91664 91672 6d015080 EnterCriticalSection 91664->91672 91666 6d00f0cb 91667 6d00f0f8 91666->91667 91668 6d00f015 __wsopen_s 21 API calls 91666->91668 91673 6d00f131 LeaveCriticalSection __wsopen_s 91667->91673 91668->91667 91670 6d00f11a 91670->91574 91671->91574 91672->91666 91673->91670 91674->91175 91675->91177 91676->91175 91677->91175 91678->91175 91680 6cec022e 91679->91680 91681 6ce970c4 91680->91681 91686 6d004ecb 91680->91686 91681->91187 91683->91189 91684->91191 91685->91193 91687 6d004ef6 91686->91687 91688 6d004ed9 91686->91688 91687->91680 91688->91687 91689 6d004efa 91688->91689 91691 6d004ee6 91688->91691 91694 6d0050f2 91689->91694 91702 6d003810 18 API calls __wsopen_s 91691->91702 91695 6d0050fe __wsopen_s 91694->91695 91703 6cfffc99 EnterCriticalSection 91695->91703 91697 6d00510c 91704 6d0050af 91697->91704 91701 6d004f2c 91701->91680 91702->91687 91703->91697 91712 6d00bc96 91704->91712 91710 6d0050e9 91711 6d005141 LeaveCriticalSection 91710->91711 91711->91701 91713 6d00d350 18 API calls 91712->91713 91714 6d00bca7 91713->91714 91715 6d0150d5 __wsopen_s 18 API calls 91714->91715 91717 6d00bcad __wsopen_s 91715->91717 91716 6d0050c3 91719 6d004f2e 91716->91719 91717->91716 91729 6d007eab HeapFree GetLastError __dosmaperr 91717->91729 91721 6d004f40 91719->91721 91723 6d004f5e 91719->91723 91720 6d004f4e 91730 6d003810 18 API calls __wsopen_s 91720->91730 91721->91720 91721->91723 91726 6d004f76 _Yarn 91721->91726 91728 6d00bd49 62 API calls 91723->91728 91724 6d0043a9 62 API calls 91724->91726 91725 6d00d350 18 API calls 91725->91726 91726->91723 91726->91724 91726->91725 91727 6d00f25c __wsopen_s 62 API calls 91726->91727 91727->91726 91728->91710 91729->91716 91730->91723 91732 6cff9715 91731->91732 91733 6cec2020 52 API calls 91732->91733 91734 6cff97b6 91733->91734 91735 6cffa133 std::_Facet_Register 4 API calls 91734->91735 91736 6cff97ee 91735->91736 91737 6cffaa17 43 API calls 91736->91737 91738 6cff9802 91737->91738 91739 6cec1d90 89 API calls 91738->91739 91740 6cff98ab 91739->91740 91741 6cff98dc 91740->91741 91785 6cec2250 30 API calls 91740->91785 91741->91204 91743 6cff9916 91786 6cec26e0 24 API calls 4 library calls 91743->91786 91745 6cff9928 91787 6cffca69 RaiseException 91745->91787 91747 6cff993d 91788 6cebe010 67 API calls 91747->91788 91749 6cff994f 91749->91204 91751 6cff9a7d 91750->91751 91789 6cff9c90 91751->91789 91753 6cff9b6c 91753->91209 91755 6cff9a95 91755->91753 91807 6cec2250 30 API calls 91755->91807 91808 6cec26e0 24 API calls 4 library calls 91755->91808 91809 6cffca69 RaiseException 91755->91809 91759 6ced304f 91758->91759 91763 6ced3063 91759->91763 91818 6cec3560 32 API calls std::_Xinvalid_argument 91759->91818 91762 6ced311e 91764 6ced3131 91762->91764 91819 6cec37e0 32 API calls std::_Xinvalid_argument 91762->91819 91763->91762 91820 6cec2250 30 API calls 91763->91820 91821 6cec26e0 24 API calls 4 library calls 91763->91821 91822 6cffca69 RaiseException 91763->91822 91764->91209 91769 6cff928e 91768->91769 91772 6cff92c1 91768->91772 91771 6cec01f0 64 API calls 91769->91771 91770 6cff9373 91770->91215 91773 6cff92b4 91771->91773 91772->91770 91823 6cec2250 30 API calls 91772->91823 91774 6d004208 67 API calls 91773->91774 91774->91772 91776 6cff939e 91824 6cec2340 24 API calls 91776->91824 91778 6cff93ae 91825 6cffca69 RaiseException 91778->91825 91780 6cff93b9 91826 6cebe010 67 API calls 91780->91826 91782 6cff9412 std::ios_base::_Ios_base_dtor 91782->91215 91783->91207 91784->91212 91785->91743 91786->91745 91787->91747 91788->91749 91790 6cff9ccc 91789->91790 91791 6cff9cf8 91789->91791 91795 6cff9cf1 91790->91795 91812 6cec2250 30 API calls 91790->91812 91793 6cff9d09 91791->91793 91810 6cec3560 32 API calls std::_Xinvalid_argument 91791->91810 91793->91795 91811 6cec2f60 42 API calls 4 library calls 91793->91811 91795->91755 91796 6cff9ed8 91813 6cec2340 24 API calls 91796->91813 91798 6cff9ee7 91814 6cffca69 RaiseException 91798->91814 91802 6cff9f17 91816 6cec2340 24 API calls 91802->91816 91804 6cff9f2d 91817 6cffca69 RaiseException 91804->91817 91806 6cff9d43 91806->91795 91815 6cec2250 30 API calls 91806->91815 91807->91755 91808->91755 91809->91755 91810->91793 91811->91806 91812->91796 91813->91798 91814->91806 91815->91802 91816->91804 91817->91795 91818->91763 91819->91764 91820->91763 91821->91763 91822->91763 91823->91776 91824->91778 91825->91780 91826->91782 91827 6ce73d62 91829 6ce73bc0 91827->91829 91828 6ce73e8a GetCurrentThread NtSetInformationThread 91830 6ce73eea 91828->91830 91829->91828 91831 6ce8f150 91833 6ce8efbe 91831->91833 91832 6ce8f243 CreateFileA 91836 6ce8f2a7 91832->91836 91833->91832 91834 6ce902ca 91835 6ce902ac GetCurrentProcess TerminateProcess 91835->91834 91836->91834 91836->91835 91837 6ce83b72 91838 6cffa133 std::_Facet_Register 4 API calls 91837->91838 91840 6ce837e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 91838->91840 91839 6cfee090 FindFirstFileA 91839->91840 91840->91839 91842 6ce96ba0 104 API calls 91840->91842 91843 6ce96e60 32 API calls 91840->91843 91844 6ce97090 77 API calls 91840->91844 91846 6ce9639e 91840->91846 91850 6cebe010 67 API calls 91840->91850 91842->91840 91843->91840 91844->91840 91851 6d003820 18 API calls 2 library calls 91846->91851 91850->91840 91852 6ce8f8a3 91853 6ce8f887 91852->91853 91854 6ce902ac GetCurrentProcess TerminateProcess 91853->91854 91855 6ce902ca 91854->91855 91856 6d00262f 91857 6d00263b __wsopen_s 91856->91857 91858 6d002642 GetLastError ExitThread 91857->91858 91859 6d00264f 91857->91859 91860 6d0080a2 __Getctype 37 API calls 91859->91860 91861 6d002654 91860->91861 91868 6d00d456 91861->91868 91864 6d00266b 91874 6d00259a 16 API calls 2 library calls 91864->91874 91867 6d00268d 91869 6d00d468 GetPEB 91868->91869 91871 6d00265f 91868->91871 91870 6d00d47b 91869->91870 91869->91871 91875 6d00a508 5 API calls std::_Lockit::_Lockit 91870->91875 91871->91864 91873 6d00a45f 5 API calls std::_Lockit::_Lockit 91871->91873 91873->91864 91874->91867 91875->91871

                                                                                              Executed Functions

                                                                                              Function 6CE74754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: _strlen
                                                                                              • String ID: HR^
                                                                                              • API String ID: 4218353326-1341859651
                                                                                              • Opcode ID: 3aa7923d87ff2fb603a7bde5e8e58008085bc221577cc58ed48a75c35c2bad8e
                                                                                              • Instruction ID: 09a32ddbd6c9642ebe0483522ffdbc25587adea9cadd245c9e358cedde12fed4
                                                                                              • Opcode Fuzzy Hash: 3aa7923d87ff2fb603a7bde5e8e58008085bc221577cc58ed48a75c35c2bad8e
                                                                                              • Instruction Fuzzy Hash: C0741771645B028FC738CF28C8D0695B7F3EF953187298A2DC0AA8BB55E774B54ACB50
                                                                                              Function 6CFF8930 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 4604 6cff8930-6cff8964 CreateToolhelp32Snapshot 4605 6cff8980-6cff8989 4604->4605 4606 6cff898b-6cff8990 4605->4606 4607 6cff89d0-6cff89d5 4605->4607 4610 6cff8a0d-6cff8a12 4606->4610 4611 6cff8992-6cff8997 4606->4611 4608 6cff89d7-6cff89dc 4607->4608 4609 6cff8a34-6cff8a62 call 6cfff010 Process32FirstW 4607->4609 4612 6cff8a64-6cff8a71 Process32NextW 4608->4612 4613 6cff89e2-6cff89e7 4608->4613 4622 6cff8a76-6cff8a86 4609->4622 4614 6cff8a8b-6cff8a90 4610->4614 4615 6cff8a14-6cff8a2f CloseHandle 4610->4615 4617 6cff8999-6cff899e 4611->4617 4618 6cff8966-6cff8973 4611->4618 4612->4622 4613->4605 4620 6cff89e9-6cff8a08 4613->4620 4614->4605 4623 6cff8a96-6cff8aa4 4614->4623 4615->4605 4617->4605 4619 6cff89a0-6cff89ca call 6d0062f5 4617->4619 4618->4605 4619->4605 4620->4605 4622->4605
                                                                                              APIs
                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6CFF893E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateSnapshotToolhelp32
                                                                                              • String ID:
                                                                                              • API String ID: 3332741929-0
                                                                                              • Opcode ID: 2534f184ae868882e8272fb8e11293695ae082a24f1aaa961e0759ec215b5c36
                                                                                              • Instruction ID: a2906a286c4719d847a2767d54acb6cab3765c099ff988f7fb5aae3193683a2f
                                                                                              • Opcode Fuzzy Hash: 2534f184ae868882e8272fb8e11293695ae082a24f1aaa961e0759ec215b5c36
                                                                                              • Instruction Fuzzy Hash: 27318E71509301AFDB119F1AC88474ABBE4EF8AB08F54492EF4E8D73A0D731D8868B57
                                                                                              Function 6CE73886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 4877 6ce73886-6ce7388e 4878 6ce73894-6ce73896 4877->4878 4879 6ce73970-6ce7397d 4877->4879 4878->4879 4882 6ce7389c-6ce738b9 4878->4882 4880 6ce739f1-6ce739f8 4879->4880 4881 6ce7397f-6ce73989 4879->4881 4885 6ce73ab5-6ce73aba 4880->4885 4886 6ce739fe-6ce73a03 4880->4886 4881->4882 4884 6ce7398f-6ce73994 4881->4884 4883 6ce738c0-6ce738c1 4882->4883 4887 6ce7395e 4883->4887 4889 6ce73b16-6ce73b18 4884->4889 4890 6ce7399a-6ce7399f 4884->4890 4885->4882 4888 6ce73ac0-6ce73ac7 4885->4888 4891 6ce738d2-6ce738d4 4886->4891 4892 6ce73a09-6ce73a2f 4886->4892 4894 6ce73960-6ce73964 4887->4894 4888->4883 4895 6ce73acd-6ce73ad6 4888->4895 4889->4883 4896 6ce739a5-6ce739bf 4890->4896 4897 6ce7383b-6ce73855 call 6cfc2a20 call 6cfc2a30 4890->4897 4893 6ce73957-6ce7395c 4891->4893 4898 6ce73a35-6ce73a3a 4892->4898 4899 6ce738f8-6ce73955 4892->4899 4893->4887 4903 6ce73860-6ce73885 4894->4903 4904 6ce7396a 4894->4904 4895->4889 4905 6ce73ad8-6ce73aeb 4895->4905 4906 6ce73a5a-6ce73a5d 4896->4906 4897->4903 4900 6ce73a40-6ce73a57 4898->4900 4901 6ce73b1d-6ce73b22 4898->4901 4899->4893 4900->4906 4912 6ce73b24-6ce73b44 4901->4912 4913 6ce73b49-6ce73b50 4901->4913 4903->4877 4909 6ce73ba1-6ce73bb6 4904->4909 4905->4899 4910 6ce73af1-6ce73af8 4905->4910 4907 6ce73aa9-6ce73ab0 4906->4907 4907->4894 4914 6ce73bc0-6ce73bda call 6cfc2a20 call 6cfc2a30 4909->4914 4916 6ce73b62-6ce73b85 4910->4916 4917 6ce73afa-6ce73aff 4910->4917 4912->4907 4913->4883 4920 6ce73b56-6ce73b5d 4913->4920 4928 6ce73be0-6ce73bfe 4914->4928 4916->4899 4921 6ce73b8b 4916->4921 4917->4893 4920->4894 4921->4909 4931 6ce73c04-6ce73c11 4928->4931 4932 6ce73e7b 4928->4932 4934 6ce73c17-6ce73c20 4931->4934 4935 6ce73ce0-6ce73cea 4931->4935 4933 6ce73e81-6ce73ee0 call 6ce73750 GetCurrentThread NtSetInformationThread 4932->4933 4948 6ce73eea-6ce73f04 call 6cfc2a20 call 6cfc2a30 4933->4948 4938 6ce73c26-6ce73c2d 4934->4938 4939 6ce73dc5 4934->4939 4936 6ce73cec-6ce73d0c 4935->4936 4937 6ce73d3a-6ce73d3c 4935->4937 4942 6ce73d90-6ce73d95 4936->4942 4943 6ce73d70-6ce73d8d 4937->4943 4944 6ce73d3e-6ce73d45 4937->4944 4946 6ce73dc3 4938->4946 4947 6ce73c33-6ce73c3a 4938->4947 4945 6ce73dc6 4939->4945 4950 6ce73d97-6ce73db8 4942->4950 4951 6ce73dba-6ce73dc1 4942->4951 4943->4942 4949 6ce73d50-6ce73d57 4944->4949 4952 6ce73dc8-6ce73dcc 4945->4952 4946->4939 4953 6ce73e26-6ce73e2b 4947->4953 4954 6ce73c40-6ce73c5b 4947->4954 4971 6ce73f75-6ce73fa1 4948->4971 4949->4945 4950->4939 4951->4946 4959 6ce73dd7-6ce73ddc 4951->4959 4952->4928 4960 6ce73dd2 4952->4960 4955 6ce73e31 4953->4955 4956 6ce73c7b-6ce73cd0 4953->4956 4957 6ce73e1b-6ce73e24 4954->4957 4955->4914 4956->4949 4957->4952 4962 6ce73e76-6ce73e79 4957->4962 4963 6ce73e36-6ce73e3d 4959->4963 4964 6ce73dde-6ce73e17 4959->4964 4960->4962 4962->4933 4965 6ce73e3f-6ce73e5a 4963->4965 4966 6ce73e5c-6ce73e5f 4963->4966 4964->4957 4965->4957 4966->4956 4969 6ce73e65-6ce73e69 4966->4969 4969->4952 4969->4962 4975 6ce73fa3-6ce73fa8 4971->4975 4976 6ce74020-6ce74026 4971->4976 4979 6ce73fae-6ce73fcf 4975->4979 4980 6ce7407c-6ce74081 4975->4980 4977 6ce73f06-6ce73f35 4976->4977 4978 6ce7402c-6ce7403c 4976->4978 4983 6ce73f38-6ce73f61 4977->4983 4984 6ce740b3-6ce740b8 4978->4984 4985 6ce7403e-6ce74058 4978->4985 4982 6ce740aa-6ce740ae 4979->4982 4981 6ce74083-6ce7408a 4980->4981 4980->4982 4981->4983 4986 6ce74090 4981->4986 4990 6ce73f6b-6ce73f6f 4982->4990 4988 6ce73f64-6ce73f67 4983->4988 4984->4979 4987 6ce740be-6ce740c9 4984->4987 4989 6ce7405a-6ce74063 4985->4989 4986->4948 4991 6ce740a7 4986->4991 4987->4982 4992 6ce740cb-6ce740d4 4987->4992 4993 6ce73f69 4988->4993 4994 6ce740f5-6ce7413f 4989->4994 4995 6ce74069-6ce7406c 4989->4995 4990->4971 4991->4982 4992->4991 4996 6ce740d6-6ce740f0 4992->4996 4993->4990 4994->4993 4998 6ce74144-6ce7414b 4995->4998 4999 6ce74072-6ce74077 4995->4999 4996->4989 4998->4990 4999->4988
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 04b7ad7abf3366bda946b3beebb24de444401bb9699094be8c16cf76c200c156
                                                                                              • Instruction ID: bbbc4e5ac3f7f848146e2c05498a7e40ac238aaee2418f92b6f8e6dd3ab764e3
                                                                                              • Opcode Fuzzy Hash: 04b7ad7abf3366bda946b3beebb24de444401bb9699094be8c16cf76c200c156
                                                                                              • Instruction Fuzzy Hash: 6732C132245B018FC334CF28C890696B7F3EF913187798A6DC0AA5BB95D775B44ACB61
                                                                                              Function 6CE73A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentThread
                                                                                              • String ID:
                                                                                              • API String ID: 2882836952-0
                                                                                              • Opcode ID: 49c2cd0d1065965b50a99868bc0e44a1a3dd6e95ce7fe261810ef817cdc83659
                                                                                              • Instruction ID: 7a261b447969c5b38d8b767a76045a360a29e15e3db14413002f0c6b49611a4b
                                                                                              • Opcode Fuzzy Hash: 49c2cd0d1065965b50a99868bc0e44a1a3dd6e95ce7fe261810ef817cdc83659
                                                                                              • Instruction Fuzzy Hash: C751B0312447018FC370CF28C884796B7B3AF96314F798A5DC0E65BA95DB75B446CB62
                                                                                              Function 6CE739CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentThread
                                                                                              • String ID:
                                                                                              • API String ID: 2882836952-0
                                                                                              • Opcode ID: cc834f7112fce0f17817fb13c9b596f1caa4c9cc225216f1914233e8623e582e
                                                                                              • Instruction ID: 4df1c4b5345667a9b60220b1659582298227d9f122651afe282a03ba8ab11608
                                                                                              • Opcode Fuzzy Hash: cc834f7112fce0f17817fb13c9b596f1caa4c9cc225216f1914233e8623e582e
                                                                                              • Instruction Fuzzy Hash: 1851AE31604B018BC374CF28C480796B7B3BF96314F798A5DC0E65BA95DB71B44ACB62
                                                                                              Function 6CE73D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentThread.KERNEL32 ref: 6CE73E9D
                                                                                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CE73EAA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: Thread$CurrentInformation
                                                                                              • String ID:
                                                                                              • API String ID: 1650627709-0
                                                                                              • Opcode ID: cd21a1ec24bea4872328d3e1c5ee1cc11e629ab7b1679541f3b3915ffcffb7e7
                                                                                              • Instruction ID: 9199d69a106e5c20527e7449b320a6ce2931c12a72b6db4469503668f5b64d47
                                                                                              • Opcode Fuzzy Hash: cd21a1ec24bea4872328d3e1c5ee1cc11e629ab7b1679541f3b3915ffcffb7e7
                                                                                              • Instruction Fuzzy Hash: E1310031645B02CBC370CF28C8847C6B7B2AF96314F294A1DC0A65BA81DB75700ADB62
                                                                                              Function 6CE73D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentThread.KERNEL32 ref: 6CE73E9D
                                                                                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CE73EAA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: Thread$CurrentInformation
                                                                                              • String ID:
                                                                                              • API String ID: 1650627709-0
                                                                                              • Opcode ID: 8839132fcffcd021bd93f9852fde53c635a5007cd4064bac36a3a02ec82429e1
                                                                                              • Instruction ID: b918077bcd040a3eacc241f63ebe103ec571c1c6eb76b78deed7746dc752d63c
                                                                                              • Opcode Fuzzy Hash: 8839132fcffcd021bd93f9852fde53c635a5007cd4064bac36a3a02ec82429e1
                                                                                              • Instruction Fuzzy Hash: CC31CF31114B02CBC774CF28C494796B7B2AF96308F754A1DC0AA5BA85DB717446DB62
                                                                                              Function 6CE73C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentThread.KERNEL32 ref: 6CE73E9D
                                                                                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CE73EAA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: Thread$CurrentInformation
                                                                                              • String ID:
                                                                                              • API String ID: 1650627709-0
                                                                                              • Opcode ID: f223ee4c415038352bd8c011d381e2045412ff4b30b7992faf97121ea11b60d1
                                                                                              • Instruction ID: d6afb55d6e4329a192a7e66ebb5351e85c471069d29c5a4f7961c8b8b006f015
                                                                                              • Opcode Fuzzy Hash: f223ee4c415038352bd8c011d381e2045412ff4b30b7992faf97121ea11b60d1
                                                                                              • Instruction Fuzzy Hash: 0A21E271218702CBD778CF24C894796B7B2AF86304F744A1EC0A64BA80DB756405DB63
                                                                                              Function 6CFF8810 Relevance: 3.1, APIs: 2, Instructions: 72serviceCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6CFF8820
                                                                                              • OpenServiceA.ADVAPI32(?,?,00000004), ref: 6CFF88C5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: Open$ManagerService
                                                                                              • String ID:
                                                                                              • API String ID: 2351955762-0
                                                                                              • Opcode ID: a687624861269669ef78675ca10828f08dc10d887d0077050a13259252b66ab7
                                                                                              • Instruction ID: d4bc338d8a1d77125909f4f386a46d57fa7d8cc2f7ca4888848aebc7858e131b
                                                                                              • Opcode Fuzzy Hash: a687624861269669ef78675ca10828f08dc10d887d0077050a13259252b66ab7
                                                                                              • Instruction Fuzzy Hash: C131F874918341AFCB009F29C849B0EBBF0EB8A754F54895EF498D7261D371C849CB63
                                                                                              Function 6CFEE090 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileA.KERNEL32(?,?), ref: 6CFEE0AC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFindFirst
                                                                                              • String ID:
                                                                                              • API String ID: 1974802433-0
                                                                                              • Opcode ID: 6a0727e539d7fc62088eca2007527487ac04861298cfe85d3d5ac3a67b745dfb
                                                                                              • Instruction ID: 1a5299ab6bdd26f755fa3ccb18a518240948c71530dcbeda6f3caaee4b4396a1
                                                                                              • Opcode Fuzzy Hash: 6a0727e539d7fc62088eca2007527487ac04861298cfe85d3d5ac3a67b745dfb
                                                                                              • Instruction Fuzzy Hash: B411367450C351EFC7108F28E944A4ABBF4AB8A314F148D5AF4A8CB7A0D734D988CB83
                                                                                              Function 6D0101C3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 3722 6d0101c3-6d0101d3 3723 6d0101d5-6d0101e8 call 6d0030cf call 6d0030bc 3722->3723 3724 6d0101ed-6d0101ef 3722->3724 3738 6d01056c 3723->3738 3726 6d0101f5-6d0101fb 3724->3726 3727 6d010554-6d010561 call 6d0030cf call 6d0030bc 3724->3727 3726->3727 3730 6d010201-6d010227 3726->3730 3744 6d010567 call 6d003810 3727->3744 3730->3727 3733 6d01022d-6d010236 3730->3733 3736 6d010250-6d010252 3733->3736 3737 6d010238-6d01024b call 6d0030cf call 6d0030bc 3733->3737 3741 6d010550-6d010552 3736->3741 3742 6d010258-6d01025b 3736->3742 3737->3744 3743 6d01056f-6d010572 3738->3743 3741->3743 3742->3741 3746 6d010261-6d010265 3742->3746 3744->3738 3746->3737 3747 6d010267-6d01027e 3746->3747 3750 6d010280-6d010283 3747->3750 3751 6d0102cf-6d0102d5 3747->3751 3753 6d010293-6d010299 3750->3753 3754 6d010285-6d01028e 3750->3754 3755 6d0102d7-6d0102e1 3751->3755 3756 6d01029b-6d0102b2 call 6d0030cf call 6d0030bc call 6d003810 3751->3756 3753->3756 3758 6d0102b7-6d0102ca 3753->3758 3757 6d010353-6d010363 3754->3757 3760 6d0102e3-6d0102e5 3755->3760 3761 6d0102e8-6d010306 call 6d007ee5 call 6d007eab * 2 3755->3761 3788 6d010487 3756->3788 3764 6d010369-6d010375 3757->3764 3765 6d010428-6d010431 call 6d0150d5 3757->3765 3758->3757 3760->3761 3792 6d010323-6d01034c call 6d00e359 3761->3792 3793 6d010308-6d01031e call 6d0030bc call 6d0030cf 3761->3793 3764->3765 3766 6d01037b-6d01037d 3764->3766 3777 6d010433-6d010445 3765->3777 3778 6d0104a4 3765->3778 3766->3765 3770 6d010383-6d0103a7 3766->3770 3770->3765 3774 6d0103a9-6d0103bf 3770->3774 3774->3765 3779 6d0103c1-6d0103c3 3774->3779 3777->3778 3783 6d010447-6d010456 GetConsoleMode 3777->3783 3781 6d0104a8-6d0104c0 ReadFile 3778->3781 3779->3765 3784 6d0103c5-6d0103eb 3779->3784 3786 6d0104c2-6d0104c8 3781->3786 3787 6d01051c-6d010527 GetLastError 3781->3787 3783->3778 3789 6d010458-6d01045c 3783->3789 3784->3765 3791 6d0103ed-6d010403 3784->3791 3786->3787 3796 6d0104ca 3786->3796 3794 6d010540-6d010543 3787->3794 3795 6d010529-6d01053b call 6d0030bc call 6d0030cf 3787->3795 3790 6d01048a-6d010494 call 6d007eab 3788->3790 3789->3781 3797 6d01045e-6d010478 ReadConsoleW 3789->3797 3790->3743 3791->3765 3801 6d010405-6d010407 3791->3801 3792->3757 3793->3788 3798 6d010480-6d010486 call 6d0030e2 3794->3798 3799 6d010549-6d01054b 3794->3799 3795->3788 3805 6d0104cd-6d0104df 3796->3805 3806 6d010499-6d0104a2 3797->3806 3807 6d01047a GetLastError 3797->3807 3798->3788 3799->3790 3801->3765 3810 6d010409-6d010423 3801->3810 3805->3790 3814 6d0104e1-6d0104e5 3805->3814 3806->3805 3807->3798 3810->3765 3818 6d0104e7-6d0104f7 call 6d0105ee 3814->3818 3819 6d0104fe-6d010509 3814->3819 3828 6d0104fa-6d0104fc 3818->3828 3820 6d010515-6d01051a call 6d0108a6 3819->3820 3821 6d01050b call 6d010573 3819->3821 3829 6d010510-6d010513 3820->3829 3821->3829 3828->3790 3829->3828
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 8Q
                                                                                              • API String ID: 0-4022487301
                                                                                              • Opcode ID: a905c4b5ac786421180ec2a8be55414200e5b8d5bf399a757d606f71c8e123b8
                                                                                              • Instruction ID: a75b3b17823a652c49e8fda226baafd0a1083f3d61c50a18f328229db83f4d45
                                                                                              • Opcode Fuzzy Hash: a905c4b5ac786421180ec2a8be55414200e5b8d5bf399a757d606f71c8e123b8
                                                                                              • Instruction Fuzzy Hash: BBC1A1B0A0C246ABFF02CFDADC90BAEBBB4BF4A314F508159E594A7341C7719951CB61
                                                                                              Function 6D01775C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 3831 6d01775c-6d01778c call 6d017bdc 3834 6d0177a7-6d0177b3 call 6d014cfc 3831->3834 3835 6d01778e-6d017799 call 6d0030cf 3831->3835 3841 6d0177b5-6d0177ca call 6d0030cf call 6d0030bc 3834->3841 3842 6d0177cc-6d017815 call 6d017b47 3834->3842 3840 6d01779b-6d0177a2 call 6d0030bc 3835->3840 3849 6d017a81-6d017a85 3840->3849 3841->3840 3851 6d017882-6d01788b GetFileType 3842->3851 3852 6d017817-6d017820 3842->3852 3853 6d0178d4-6d0178d7 3851->3853 3854 6d01788d-6d0178be GetLastError call 6d0030e2 CloseHandle 3851->3854 3856 6d017822-6d017826 3852->3856 3857 6d017857-6d01787d GetLastError call 6d0030e2 3852->3857 3861 6d0178e0-6d0178e6 3853->3861 3862 6d0178d9-6d0178de 3853->3862 3854->3840 3870 6d0178c4-6d0178cf call 6d0030bc 3854->3870 3856->3857 3858 6d017828-6d017855 call 6d017b47 3856->3858 3857->3840 3858->3851 3858->3857 3864 6d0178e8 3861->3864 3865 6d0178ea-6d017938 call 6d014ea0 3861->3865 3862->3865 3864->3865 3873 6d017957-6d01797f call 6d017e00 3865->3873 3874 6d01793a-6d017946 call 6d017d56 3865->3874 3870->3840 3881 6d017981-6d017982 3873->3881 3882 6d017984-6d0179c5 3873->3882 3874->3873 3880 6d017948 3874->3880 3885 6d01794a-6d017952 call 6d00f015 3880->3885 3881->3885 3883 6d0179c7-6d0179cb 3882->3883 3884 6d0179e6-6d0179f4 3882->3884 3883->3884 3886 6d0179cd-6d0179e1 3883->3886 3887 6d0179fa-6d0179fe 3884->3887 3888 6d017a7f 3884->3888 3885->3849 3886->3884 3887->3888 3890 6d017a00-6d017a33 CloseHandle call 6d017b47 3887->3890 3888->3849 3894 6d017a35-6d017a61 GetLastError call 6d0030e2 call 6d014e0f 3890->3894 3895 6d017a67-6d017a7b 3890->3895 3894->3895 3895->3888
                                                                                              APIs
                                                                                                • Part of subcall function 6D017B47: CreateFileW.KERNEL32(00000000,00000000,?,6D017805,?,?,00000000,?,6D017805,00000000,0000000C), ref: 6D017B64
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6D017870
                                                                                              • __dosmaperr.LIBCMT ref: 6D017877
                                                                                              • GetFileType.KERNEL32(00000000), ref: 6D017883
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6D01788D
                                                                                              • __dosmaperr.LIBCMT ref: 6D017896
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 6D0178B6
                                                                                              • CloseHandle.KERNEL32(6D00E7C0), ref: 6D017A03
                                                                                              • GetLastError.KERNEL32 ref: 6D017A35
                                                                                              • __dosmaperr.LIBCMT ref: 6D017A3C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                              • String ID: 8Q
                                                                                              • API String ID: 4237864984-4022487301
                                                                                              • Opcode ID: 251392b78a220389a7dc31844a4ec1735028a5c275f1f18288256bafa8a051f5
                                                                                              • Instruction ID: c99179f2cd31981afbaf6126d9c3ebf8f02c9f00da3649bf27d4ab5c30fd6bc3
                                                                                              • Opcode Fuzzy Hash: 251392b78a220389a7dc31844a4ec1735028a5c275f1f18288256bafa8a051f5
                                                                                              • Instruction Fuzzy Hash: 45A11432E181059FEF0ADFA8CC91BAD7BF1AB8A324F24414DE911AB391DB758906C751
                                                                                              Function 6CFCB4D0 Relevance: 16.6, APIs: 3, Strings: 6, Instructions: 834fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WriteFile.KERNEL32(?,?,00000038,?,00000000), ref: 6CFCB62F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileWrite
                                                                                              • String ID: *$,=ym$-=ym$-=ym$B$H
                                                                                              • API String ID: 3934441357-3163594065
                                                                                              • Opcode ID: 742ab8735bd618cf743311ab40a44c3fb08db8603821b36da8e11c1751d683a0
                                                                                              • Instruction ID: 25743169c8eb8705bff4f15d673e7924f72383e72322c878b414812159e045fb
                                                                                              • Opcode Fuzzy Hash: 742ab8735bd618cf743311ab40a44c3fb08db8603821b36da8e11c1751d683a0
                                                                                              • Instruction Fuzzy Hash: EA728A797093469FCB18CF28C49065BBBE1AF89304F188E1EE499CBB54E734D8858B43
                                                                                              Function 6CE74200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ;T55
                                                                                              • API String ID: 0-2572755013
                                                                                              • Opcode ID: ea7a3349d89c6a86f4216d3ee9cfe0e7782f94c7db8e103bd8870baa7d707798
                                                                                              • Instruction ID: cf5c7b71acb0a882547896e2ef425e776c49d45bc85f988c81bd60c454b5c0b1
                                                                                              • Opcode Fuzzy Hash: ea7a3349d89c6a86f4216d3ee9cfe0e7782f94c7db8e103bd8870baa7d707798
                                                                                              • Instruction Fuzzy Hash: BA03C531645B018FC728CF28C8D0695B7F3AFD53287698B6DC0AA4BB95D778B44ACB50
                                                                                              Function 6CFF86E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processsynchronizationCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 4469 6cff86e0-6cff8767 CreateProcessA 4470 6cff878b-6cff8794 4469->4470 4471 6cff8796-6cff879b 4470->4471 4472 6cff87b0-6cff87fa WaitForSingleObject CloseHandle * 2 4470->4472 4473 6cff879d-6cff87a2 4471->4473 4474 6cff8770-6cff8783 4471->4474 4472->4470 4473->4470 4475 6cff87a4-6cff8807 4473->4475 4474->4470
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseHandle$CreateObjectProcessSingleWait
                                                                                              • String ID: D
                                                                                              • API String ID: 2059082233-2746444292
                                                                                              • Opcode ID: e553eba8062e62c1224707c062c0e4c3617f6f62e8325347e9f2d7aaac9313a3
                                                                                              • Instruction ID: a6e0950b992a124a0a4719f6c2e4179b135c358e49873b474233bad57c411165
                                                                                              • Opcode Fuzzy Hash: e553eba8062e62c1224707c062c0e4c3617f6f62e8325347e9f2d7aaac9313a3
                                                                                              • Instruction Fuzzy Hash: D931D2718193808FD740DF29D18471ABBF0ABDA318F505A1EF8E996360D7749585CF47
                                                                                              Function 6D00F34E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 4477 6d00f34e-6d00f36a 4478 6d00f370-6d00f372 4477->4478 4479 6d00f529 4477->4479 4480 6d00f394-6d00f3b5 4478->4480 4481 6d00f374-6d00f387 call 6d0030cf call 6d0030bc call 6d003810 4478->4481 4482 6d00f52b-6d00f52f 4479->4482 4484 6d00f3b7-6d00f3ba 4480->4484 4485 6d00f3bc-6d00f3c2 4480->4485 4499 6d00f38c-6d00f38f 4481->4499 4484->4485 4487 6d00f3c4-6d00f3c9 4484->4487 4485->4481 4485->4487 4489 6d00f3da-6d00f3eb call 6d00f530 4487->4489 4490 6d00f3cb-6d00f3d7 call 6d00e359 4487->4490 4497 6d00f42c-6d00f43e 4489->4497 4498 6d00f3ed-6d00f3ef 4489->4498 4490->4489 4502 6d00f440-6d00f449 4497->4502 4503 6d00f485-6d00f4a7 WriteFile 4497->4503 4500 6d00f3f1-6d00f3f9 4498->4500 4501 6d00f416-6d00f422 call 6d00f5a1 4498->4501 4499->4482 4504 6d00f4bb-6d00f4be 4500->4504 4505 6d00f3ff-6d00f40c call 6d00f94b 4500->4505 4513 6d00f427-6d00f42a 4501->4513 4509 6d00f475-6d00f483 call 6d00f9b3 4502->4509 4510 6d00f44b-6d00f44e 4502->4510 4507 6d00f4b2 4503->4507 4508 6d00f4a9-6d00f4af GetLastError 4503->4508 4517 6d00f4c1-6d00f4c6 4504->4517 4522 6d00f40f-6d00f411 4505->4522 4514 6d00f4b5-6d00f4ba 4507->4514 4508->4507 4509->4513 4515 6d00f450-6d00f453 4510->4515 4516 6d00f465-6d00f473 call 6d00fb77 4510->4516 4513->4522 4514->4504 4515->4517 4518 6d00f455-6d00f463 call 6d00fa8e 4515->4518 4516->4513 4523 6d00f524-6d00f527 4517->4523 4524 6d00f4c8-6d00f4cd 4517->4524 4518->4513 4522->4514 4523->4482 4526 6d00f4f9-6d00f505 4524->4526 4527 6d00f4cf-6d00f4d4 4524->4527 4532 6d00f507-6d00f50a 4526->4532 4533 6d00f50c-6d00f51f call 6d0030bc call 6d0030cf 4526->4533 4529 6d00f4d6-6d00f4e8 call 6d0030bc call 6d0030cf 4527->4529 4530 6d00f4ed-6d00f4f4 call 6d0030e2 4527->4530 4529->4499 4530->4499 4532->4479 4532->4533 4533->4499
                                                                                              APIs
                                                                                                • Part of subcall function 6D00F5A1: GetConsoleCP.KERNEL32(?,6D00E7C0,?), ref: 6D00F5E9
                                                                                              • WriteFile.KERNEL32(?,?,6D017DDC,00000000,00000000,?,00000000,00000000,6D0191A6,00000000,00000000,?,00000000,6D00E7C0,6D017DDC,00000000), ref: 6D00F49F
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6D017DDC,6D00E7C0,00000000,?,?,?,?,00000000,?), ref: 6D00F4A9
                                                                                              • __dosmaperr.LIBCMT ref: 6D00F4EE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                                                                              • String ID: 8Q
                                                                                              • API String ID: 251514795-4022487301
                                                                                              • Opcode ID: 403a2a7316db654f15f27890fb985e536ad8cc9bf0742d3ecde1de79e11e4b1a
                                                                                              • Instruction ID: 15d1b51f4b9fc154747ee42e28fdb54938fa022d75d7368cb2fb3042a1a3a565
                                                                                              • Opcode Fuzzy Hash: 403a2a7316db654f15f27890fb985e536ad8cc9bf0742d3ecde1de79e11e4b1a
                                                                                              • Instruction Fuzzy Hash: 0451D37190820ABBFB01DFA4C880FEEBFBDEF4A364F014551EA00AB251D770D9419B65
                                                                                              Function 6CFF9280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 4544 6cff9280-6cff928c 4545 6cff928e-6cff9299 4544->4545 4546 6cff92cd 4544->4546 4548 6cff92af-6cff92bc call 6cec01f0 call 6d004208 4545->4548 4549 6cff929b-6cff92ad 4545->4549 4547 6cff92cf-6cff9347 4546->4547 4550 6cff9349-6cff9371 4547->4550 4551 6cff9373-6cff9379 4547->4551 4557 6cff92c1-6cff92cb 4548->4557 4549->4548 4550->4551 4553 6cff937a-6cff9439 call 6cec2250 call 6cec2340 call 6cffca69 call 6cebe010 call 6cffa778 4550->4553 4557->4547
                                                                                              APIs
                                                                                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CFF9421
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: Ios_base_dtorstd::ios_base::_
                                                                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                              • API String ID: 323602529-1866435925
                                                                                              • Opcode ID: a4575b97622b5c977b25dd43a75c3d5579ef1c195d8d1ceb7c1a697a5d54ffb8
                                                                                              • Instruction ID: 9d3f8e6603a7768cc60d998df1db9f85b4886b18712c7ef07561ccce7d409478
                                                                                              • Opcode Fuzzy Hash: a4575b97622b5c977b25dd43a75c3d5579ef1c195d8d1ceb7c1a697a5d54ffb8
                                                                                              • Instruction Fuzzy Hash: B25144B5A00B008FD725CF29C584B97BBF1FB48318F108A2DD89647B90D775B90ACB91
                                                                                              Function 6CFCCEA0 Relevance: 6.2, APIs: 4, Instructions: 187fileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 4567 6cfccea0-6cfccf03 call 6cffa260 4570 6cfccf40-6cfccf49 4567->4570 4571 6cfccf4b-6cfccf50 4570->4571 4572 6cfccf90-6cfccf95 4570->4572 4573 6cfccf56-6cfccf5b 4571->4573 4574 6cfcd000-6cfcd005 4571->4574 4575 6cfccf9b-6cfccfa0 4572->4575 4576 6cfcd030-6cfcd035 4572->4576 4581 6cfcd065-6cfcd08c 4573->4581 4582 6cfccf61-6cfccf66 4573->4582 4577 6cfcd00b-6cfcd010 4574->4577 4578 6cfcd125-6cfcd158 call 6cffea90 4574->4578 4583 6cfccf05-6cfccf21 WriteFile 4575->4583 4584 6cfccfa6-6cfccfab 4575->4584 4579 6cfcd17d-6cfcd191 4576->4579 4580 6cfcd03b-6cfcd040 4576->4580 4587 6cfcd15d-6cfcd175 4577->4587 4588 6cfcd016-6cfcd01b 4577->4588 4578->4570 4585 6cfcd195-6cfcd1a2 4579->4585 4589 6cfcd046-6cfcd060 4580->4589 4590 6cfcd1a7-6cfcd1ac 4580->4590 4593 6cfccf33-6cfccf38 4581->4593 4591 6cfccf6c-6cfccf71 4582->4591 4592 6cfcd091-6cfcd0aa WriteFile 4582->4592 4586 6cfccf30 4583->4586 4595 6cfcd0af-6cfcd120 WriteFile 4584->4595 4596 6cfccfb1-6cfccfb6 4584->4596 4585->4570 4586->4593 4587->4579 4588->4570 4598 6cfcd021-6cfcd02b 4588->4598 4589->4585 4590->4570 4597 6cfcd1b2-6cfcd1c0 4590->4597 4591->4570 4599 6cfccf73-6cfccf86 4591->4599 4592->4586 4593->4570 4595->4586 4596->4570 4601 6cfccfb8-6cfccfee call 6cfff010 ReadFile 4596->4601 4598->4586 4599->4593 4601->4586
                                                                                              APIs
                                                                                              • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6CFCCFE1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileRead
                                                                                              • String ID:
                                                                                              • API String ID: 2738559852-0
                                                                                              • Opcode ID: 307af895eb75f564cec8adfb7624803381c6bcfaed3449ac6412e2df92b5dbd3
                                                                                              • Instruction ID: 10596be70b5edc5a5c44aa5b2744d65d0285281bc5f13e7a0201daf6249a297c
                                                                                              • Opcode Fuzzy Hash: 307af895eb75f564cec8adfb7624803381c6bcfaed3449ac6412e2df92b5dbd3
                                                                                              • Instruction Fuzzy Hash: 6B7126B0349341AFD710DF28C884B9BBBE4BF89708F50492AF494C66A0D375D985CB93
                                                                                              Function 6CFCC390 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 631COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 4626 6cfcc390-6cfcc406 call 6cffa260 call 6cfff010 4631 6cfcc426-6cfcc42f 4626->4631 4632 6cfcc490-6cfcc495 4631->4632 4633 6cfcc431-6cfcc436 4631->4633 4636 6cfcc49b-6cfcc4a0 4632->4636 4637 6cfcc570-6cfcc575 4632->4637 4634 6cfcc43c-6cfcc441 4633->4634 4635 6cfcc500-6cfcc505 4633->4635 4638 6cfcc5bf-6cfcc5c4 4634->4638 4639 6cfcc447-6cfcc44c 4634->4639 4640 6cfcc679-6cfcc67e 4635->4640 4641 6cfcc50b-6cfcc510 4635->4641 4642 6cfcc638-6cfcc63d 4636->4642 4643 6cfcc4a6-6cfcc4ab 4636->4643 4644 6cfcc57b-6cfcc580 4637->4644 4645 6cfcc6d6-6cfcc6db 4637->4645 4648 6cfcc5ca-6cfcc5cf 4638->4648 4649 6cfcc863-6cfcc868 4638->4649 4650 6cfcc742-6cfcc747 4639->4650 4651 6cfcc452-6cfcc457 4639->4651 4656 6cfcc684-6cfcc689 4640->4656 4657 6cfcc8e2-6cfcc8e7 4640->4657 4652 6cfcc7de-6cfcc7e3 4641->4652 4653 6cfcc516-6cfcc51b 4641->4653 4654 6cfcc8ab-6cfcc8b0 4642->4654 4655 6cfcc643-6cfcc648 4642->4655 4658 6cfcc796-6cfcc79b 4643->4658 4659 6cfcc4b1-6cfcc4b6 4643->4659 4660 6cfcc586-6cfcc58b 4644->4660 4661 6cfcc830-6cfcc835 4644->4661 4646 6cfcc6e1-6cfcc6e6 4645->4646 4647 6cfcc912-6cfcc917 4645->4647 4682 6cfcc6ec-6cfcc6f1 4646->4682 4683 6cfccc12-6cfccc4d call 6cfff010 call 6cfcb4d0 4646->4683 4680 6cfcc91d-6cfcc922 4647->4680 4681 6cfcce1a-6cfcce29 4647->4681 4664 6cfcc5d5-6cfcc5da 4648->4664 4665 6cfcca71-6cfcca9b call 6cffea90 4648->4665 4666 6cfcc86e-6cfcc873 4649->4666 4667 6cfccdb7-6cfccdbf 4649->4667 4684 6cfcc74d-6cfcc752 4650->4684 4685 6cfccca3-6cfcccba 4650->4685 4668 6cfcc93d-6cfcc95b 4651->4668 4669 6cfcc45d-6cfcc462 4651->4669 4690 6cfcc7e9-6cfcc7ee 4652->4690 4691 6cfcccfa-6cfccd23 4652->4691 4686 6cfcc521-6cfcc526 4653->4686 4687 6cfcc9a3-6cfcc9b3 4653->4687 4672 6cfccdda-6cfccdf1 4654->4672 4673 6cfcc8b6-6cfcc8bb 4654->4673 4670 6cfcc64e-6cfcc653 4655->4670 4671 6cfccb08-6cfccb34 4655->4671 4676 6cfcc68f-6cfcc694 4656->4676 4677 6cfccb61-6cfccb85 4656->4677 4674 6cfcc8ed-6cfcc8f2 4657->4674 4675 6cfccdf9-6cfcce12 4657->4675 4688 6cfcc408-6cfcc418 4658->4688 4689 6cfcc7a1-6cfcc7a6 4658->4689 4678 6cfcc4bc-6cfcc4c1 4659->4678 4679 6cfcc97a-6cfcc984 4659->4679 4692 6cfcc9fe-6cfcca3a 4660->4692 4693 6cfcc591-6cfcc596 4660->4693 4662 6cfccd6c-6cfccd88 4661->4662 4663 6cfcc83b-6cfcc840 4661->4663 4704 6cfccd8a-6cfccd98 4662->4704 4713 6cfccd9d-6cfccdad 4663->4713 4714 6cfcc846-6cfcc84b 4663->4714 4694 6cfccaa0-6cfccb03 call 6cfcce50 CreateFileA 4664->4694 4695 6cfcc5e0-6cfcc5e5 4664->4695 4665->4631 4715 6cfcc879-6cfcc8a6 4666->4715 4716 6cfcce31-6cfcce36 4666->4716 4707 6cfccdc4-6cfccdd5 4667->4707 4668->4704 4717 6cfcc468-6cfcc46d 4669->4717 4718 6cfcc960-6cfcc975 4669->4718 4697 6cfccb39-6cfccb5c 4670->4697 4698 6cfcc659-6cfcc65e 4670->4698 4671->4631 4672->4675 4673->4631 4719 6cfcc8c1-6cfcc8dd 4673->4719 4674->4631 4720 6cfcc8f8-6cfcc90d 4674->4720 4675->4681 4699 6cfccb8a-6cfccc0d 4676->4699 4700 6cfcc69a-6cfcc69f 4676->4700 4677->4631 4721 6cfcc989-6cfcc99e 4678->4721 4722 6cfcc4c7-6cfcc4cc 4678->4722 4679->4631 4680->4631 4723 6cfcc928-6cfcc938 4680->4723 4681->4716 4702 6cfccc77-6cfccc88 4682->4702 4703 6cfcc6f7-6cfcc6fc 4682->4703 4751 6cfccc52-6cfccc72 4683->4751 4705 6cfcc758-6cfcc75d 4684->4705 4706 6cfcccc9-6cfcccd8 4684->4706 4701 6cfcccbc-6cfcccc4 4685->4701 4724 6cfcc52c-6cfcc531 4686->4724 4725 6cfcc9bd-6cfcc9c5 4686->4725 4687->4725 4712 6cfcc41d 4688->4712 4708 6cfcc7ac-6cfcc7b1 4689->4708 4709 6cfccce0-6cfcccf5 4689->4709 4710 6cfccd28-6cfccd67 4690->4710 4711 6cfcc7f4-6cfcc7f9 4690->4711 4691->4631 4728 6cfcca43-6cfcca6c 4692->4728 4727 6cfcc59c-6cfcc5a1 4693->4727 4693->4728 4694->4631 4695->4631 4729 6cfcc5eb-6cfcc633 4695->4729 4697->4631 4698->4631 4731 6cfcc664-6cfcc674 4698->4731 4699->4631 4700->4631 4733 6cfcc6a5-6cfcc6d1 4700->4733 4701->4631 4732 6cfccc8d-6cfccc9e 4702->4732 4703->4631 4734 6cfcc702-6cfcc73d 4703->4734 4704->4631 4705->4631 4735 6cfcc763-6cfcc791 4705->4735 4706->4709 4707->4631 4708->4631 4736 6cfcc7b7-6cfcc7d9 4708->4736 4709->4712 4710->4631 4711->4631 4737 6cfcc7ff-6cfcc82b 4711->4737 4738 6cfcc420-6cfcc424 4712->4738 4713->4667 4714->4631 4740 6cfcc851-6cfcc85e 4714->4740 4715->4631 4716->4631 4739 6cfcce3c-6cfcce47 4716->4739 4717->4631 4741 6cfcc46f-6cfcc483 4717->4741 4718->4631 4719->4732 4720->4631 4721->4738 4722->4631 4742 6cfcc4d2-6cfcc4fa call 6cfc2a20 call 6cfc2a30 4722->4742 4723->4707 4724->4631 4744 6cfcc537-6cfcc561 4724->4744 4743 6cfcc9ca-6cfcc9f9 4725->4743 4727->4631 4747 6cfcc5a7-6cfcc5ba 4727->4747 4728->4631 4729->4631 4731->4743 4732->4631 4733->4631 4734->4631 4735->4701 4736->4704 4737->4631 4738->4631 4740->4743 4741->4707 4742->4631 4743->4631 4744->4631 4747->4631 4751->4631
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: @*Z$@*Z
                                                                                              • API String ID: 0-2842812045
                                                                                              • Opcode ID: 61ef4145380451313fcd406089b7ce254226962b5ec95a3fdcec4f163867a868
                                                                                              • Instruction ID: e05ad261a5c15359aaef18751f84544a8573236ec74de072300cd8ee7c534f31
                                                                                              • Opcode Fuzzy Hash: 61ef4145380451313fcd406089b7ce254226962b5ec95a3fdcec4f163867a868
                                                                                              • Instruction Fuzzy Hash: 1B425671B093428FCB14DF28C49166BBBE1AB89318F248D6EF49AC7761D735D9468B03
                                                                                              Function 6D00F015 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 4755 6d00f015-6d00f029 call 6d014c92 4758 6d00f02b-6d00f02d 4755->4758 4759 6d00f02f-6d00f037 4755->4759 4762 6d00f07d-6d00f09d call 6d014e0f 4758->4762 4760 6d00f042-6d00f045 4759->4760 4761 6d00f039-6d00f040 4759->4761 4764 6d00f063-6d00f073 call 6d014c92 CloseHandle 4760->4764 4765 6d00f047-6d00f04b 4760->4765 4761->4760 4766 6d00f04d-6d00f061 call 6d014c92 * 2 4761->4766 4771 6d00f0ab 4762->4771 4772 6d00f09f-6d00f0a9 call 6d0030e2 4762->4772 4764->4758 4774 6d00f075-6d00f07b GetLastError 4764->4774 4765->4764 4765->4766 4766->4758 4766->4764 4776 6d00f0ad-6d00f0b0 4771->4776 4772->4776 4774->4762
                                                                                              APIs
                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,?,6D01794F), ref: 6D00F06B
                                                                                              • GetLastError.KERNEL32(?,00000000,?,6D01794F), ref: 6D00F075
                                                                                              • __dosmaperr.LIBCMT ref: 6D00F0A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseErrorHandleLast__dosmaperr
                                                                                              • String ID:
                                                                                              • API String ID: 2583163307-0
                                                                                              • Opcode ID: 91585a206221186f9e82925ff33182b32bd5941aef7fb732db71116fc828c04d
                                                                                              • Instruction ID: c9388892651f2d2cb5f02a5e3d41a833edd6570fd95f951f65c440d577dfe629
                                                                                              • Opcode Fuzzy Hash: 91585a206221186f9e82925ff33182b32bd5941aef7fb732db71116fc828c04d
                                                                                              • Instruction Fuzzy Hash: 92012632A0D2203AF65153789C84B7E3BAE5BC773CF26C549EA14872D1DF65D8805294
                                                                                              Function 6D00428C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 5000 6d00428c-6d004297 5001 6d004299-6d0042ac call 6d0030bc call 6d003810 5000->5001 5002 6d0042ae-6d0042bb 5000->5002 5014 6d004300-6d004302 5001->5014 5004 6d0042f6-6d0042ff call 6d00e565 5002->5004 5005 6d0042bd-6d0042d2 call 6d0043a9 call 6d00be2e call 6d00d350 call 6d00ef88 5002->5005 5004->5014 5019 6d0042d7-6d0042dc 5005->5019 5020 6d0042e3-6d0042e7 5019->5020 5021 6d0042de-6d0042e1 5019->5021 5020->5004 5022 6d0042e9-6d0042f5 call 6d007eab 5020->5022 5021->5004 5022->5004
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 8Q
                                                                                              • API String ID: 0-4022487301
                                                                                              • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                                                                              • Instruction ID: 71a38d26e6d0f1210acdfa2f193ab88bd74ec82612f01cc4357cdb3e1f51007b
                                                                                              • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                                                                              • Instruction Fuzzy Hash: A0F02D3250561476F72196799C00B9B33ACDF9A378F924725EB20931C0DB34D40786EA
                                                                                              Function 6CFF9050 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CFF91A4
                                                                                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CFF91E4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: Ios_base_dtorstd::ios_base::_
                                                                                              • String ID:
                                                                                              • API String ID: 323602529-0
                                                                                              • Opcode ID: 8745e6df7d1deb7b82ba48eb4c5c7d8dea6f7ca581a427fddf8496bcf36be09b
                                                                                              • Instruction ID: 04f38df8f0fe6f111b5cc8f0a97a250285c11d5e6c7a6e63106f59b1a9f05746
                                                                                              • Opcode Fuzzy Hash: 8745e6df7d1deb7b82ba48eb4c5c7d8dea6f7ca581a427fddf8496bcf36be09b
                                                                                              • Instruction Fuzzy Hash: C9512971105B00DBE725CF25C888BE6BBF4FB05714F448A6DD4AA477A1DB31B54ACB81
                                                                                              Function 6D00262F Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(6D029DD0,0000000C), ref: 6D002642
                                                                                              • ExitThread.KERNEL32 ref: 6D002649
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorExitLastThread
                                                                                              • String ID:
                                                                                              • API String ID: 1611280651-0
                                                                                              • Opcode ID: 50c24bb3097d5afc8797ac4c21e648a7becd3095d50e6112fad3ce3913cefca9
                                                                                              • Instruction ID: a7eb7498e232c8b3e8de1cc311da06114d4efe962ba9f7780a5beb3a04d95dab
                                                                                              • Opcode Fuzzy Hash: 50c24bb3097d5afc8797ac4c21e648a7becd3095d50e6112fad3ce3913cefca9
                                                                                              • Instruction Fuzzy Hash: 96F0CD71908205BFFB05AFB0C849F6E3B74FF85214F214548E101A76A1CF30A941CBA1
                                                                                              Function 6D00E662 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: __wsopen_s
                                                                                              • String ID:
                                                                                              • API String ID: 3347428461-0
                                                                                              • Opcode ID: e947e8c73591f0d75d71b25ce098b41aa0f319a65b4eec6852c78b4e13fd3c3e
                                                                                              • Instruction ID: f538147025e8517ae20ce8f5aa59cb621c58c123ae01e704ec92c9110420c9e2
                                                                                              • Opcode Fuzzy Hash: e947e8c73591f0d75d71b25ce098b41aa0f319a65b4eec6852c78b4e13fd3c3e
                                                                                              • Instruction Fuzzy Hash: 88113671A0420AAFDB05CF58E944A9B7BF8EF89304F1144A9F819EB211DA70E915CBA5
                                                                                              Function 6D0176EE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free
                                                                                              • String ID:
                                                                                              • API String ID: 269201875-0
                                                                                              • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                                                                              • Instruction ID: bd0dbc1cb7d76639e8d0e820f3e5852f7f5b6c8570b0e9d97b427c4446a267a8
                                                                                              • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                                                                              • Instruction Fuzzy Hash: D0014F72C0415AFFDF029FE8CC00AEEBFF5AF48214F154265EA24E2161E7718A25DB91
                                                                                              Function 6D017B47 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(00000000,00000000,?,6D017805,?,?,00000000,?,6D017805,00000000,0000000C), ref: 6D017B64
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: 2994d3a5a300e4a16bc5b0f7ea6f6e0b9f3aff9fd108d4c446afe13016c635c4
                                                                                              • Instruction ID: 5979de081920eabe010214ad5780464a19794055bf5fc08c8c4af7c835b63812
                                                                                              • Opcode Fuzzy Hash: 2994d3a5a300e4a16bc5b0f7ea6f6e0b9f3aff9fd108d4c446afe13016c635c4
                                                                                              • Instruction Fuzzy Hash: 27D06C3200014DBBDF128F84DC06EDA3BAAFB88715F114000BA1856020C732E861AB90
                                                                                              Function 6CEC83A0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                                                                              • Instruction ID: 786c434eb45b0a0fac1bedc4315d80df10b05a4e080438f92728a29d4c469f16
                                                                                              • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                                                                              • Instruction Fuzzy Hash:

                                                                                              Non-executed Functions

                                                                                              Function 6D046092 Relevance: 21.8, APIs: 5, Strings: 6, Instructions: 2537COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 6D046097
                                                                                                • Part of subcall function 6D0491D6: __EH_prolog.LIBCMT ref: 6D0491DB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: $ $*$0UJ$@$@
                                                                                              • API String ID: 3519838083-862571645
                                                                                              • Opcode ID: e22172b2180ba6d381767f152ec73fcbe70747ea8cb959dd0ada97f8ed321326
                                                                                              • Instruction ID: d4d801f9de3b082d1f36d055bd20cb702c58ef7cec12ca1e5186831038f8463f
                                                                                              • Opcode Fuzzy Hash: e22172b2180ba6d381767f152ec73fcbe70747ea8cb959dd0ada97f8ed321326
                                                                                              • Instruction Fuzzy Hash: F9335930D04259DBEF25CFA4C990FEDBBB1AF89304F1180A9D509AB290DB719E85CF91
                                                                                              Function 6D09889F Relevance: 15.6, APIs: 6, Strings: 2, Instructions: 1591COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 6D0988A4
                                                                                              • __aulldiv.LIBCMT ref: 6D098C4A
                                                                                              • __aulldiv.LIBCMT ref: 6D098C78
                                                                                              • __aulldiv.LIBCMT ref: 6D098D18
                                                                                                • Part of subcall function 6D09A36D: __EH_prolog.LIBCMT ref: 6D09A372
                                                                                                • Part of subcall function 6D09A40E: __EH_prolog.LIBCMT ref: 6D09A413
                                                                                                • Part of subcall function 6D099E78: __EH_prolog.LIBCMT ref: 6D099E7D
                                                                                                • Part of subcall function 6D09424A: __EH_prolog.LIBCMT ref: 6D09424F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog$__aulldiv
                                                                                              • String ID: L$b
                                                                                              • API String ID: 604474441-3566554212
                                                                                              • Opcode ID: d9657c234f8b039fc43015c1601217ec1c14bdfa2872b48e6b05b85763b47a84
                                                                                              • Instruction ID: 7c852fac468c32ffe618250af3647df25d09ff4fff23c61fae32d4541614a4ef
                                                                                              • Opcode Fuzzy Hash: d9657c234f8b039fc43015c1601217ec1c14bdfa2872b48e6b05b85763b47a84
                                                                                              • Instruction Fuzzy Hash: 1BE2AE70D09299DFEF15CFA4C990BECBBB0BF18304F259099D549AB241DB306E85EB61
                                                                                              Function 6CFF4860 Relevance: 11.0, APIs: 3, Strings: 1, Instructions: 4048COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: _strlen
                                                                                              • String ID: C
                                                                                              • API String ID: 4218353326-4157497815
                                                                                              • Opcode ID: d0d093345059b4543cf9a21dc8e7b238a4ecc0682e15b1931cd0c984fdd4669e
                                                                                              • Instruction ID: 4d587755ae714c67062c8ec3427fb0e4f13d2ce10a7cecb3e4bc08a57b43a2a1
                                                                                              • Opcode Fuzzy Hash: d0d093345059b4543cf9a21dc8e7b238a4ecc0682e15b1931cd0c984fdd4669e
                                                                                              • Instruction Fuzzy Hash: FC73F571644B018FC728CF29C8D0A96B7F2EF953187198B6DC0A787A65EB74B54BCB40
                                                                                              Function 6CFF9450 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32 ref: 6CFF945A
                                                                                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6CFF9466
                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6CFF9474
                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6CFF949B
                                                                                              • NtInitiatePowerAction.NTDLL ref: 6CFF94AF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                                                                                              • String ID: SeShutdownPrivilege
                                                                                              • API String ID: 3256374457-3733053543
                                                                                              • Opcode ID: 356716eea9f80631f9af441b69001894db1424d27c84e97ceeb7a6cda7e91884
                                                                                              • Instruction ID: 5194db6275519733bf5c7aa64676b03e6a838f0f6f3e4ab23cc3523eae65726a
                                                                                              • Opcode Fuzzy Hash: 356716eea9f80631f9af441b69001894db1424d27c84e97ceeb7a6cda7e91884
                                                                                              • Instruction Fuzzy Hash: 93F05471945304ABEB006F28DD0EB5A7BB8EF85B01F10451CFD45AA1D1D7B06994CB93
                                                                                              Function 6CE71950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: \j`7$\j`7$j
                                                                                              • API String ID: 0-3644614255
                                                                                              • Opcode ID: 37d727eb08265cc7b75306fd4ebae892f15a8d114a474690e07db5a533272ed5
                                                                                              • Instruction ID: 244e527bf2f223fe9610add08a52ab546a68bca7026f723a1aa82367b4bdee3c
                                                                                              • Opcode Fuzzy Hash: 37d727eb08265cc7b75306fd4ebae892f15a8d114a474690e07db5a533272ed5
                                                                                              • Instruction Fuzzy Hash: EE42147560D3828FC724CF68C49065ABBF1ABDA358F248A1EE499D7760D334D846CB63
                                                                                              Function 6D08B4AC Relevance: 8.7, APIs: 1, Strings: 3, Instructions: 1656COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 6D08B4B1
                                                                                                • Part of subcall function 6D08C93B: __EH_prolog.LIBCMT ref: 6D08C940
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: 1$`)K$h)K
                                                                                              • API String ID: 3519838083-3935664338
                                                                                              • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                                                                              • Instruction ID: c0f76bef57c62f077b95a5c28d112f301ae9ad26b6f1962ab8cfcb0eb3eee56d
                                                                                              • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                                                                              • Instruction Fuzzy Hash: EDF27A70D04659DFEF11CBA8C888BEDBBF5AF49304F248199E449AB242DB749E85CF11
                                                                                              Function 6D07DEEF Relevance: 8.3, APIs: 1, Strings: 2, Instructions: 3058COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 6D07DEF4
                                                                                                • Part of subcall function 6D081622: __EH_prolog.LIBCMT ref: 6D081627
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: $h%K
                                                                                              • API String ID: 3519838083-1737110039
                                                                                              • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                                                                              • Instruction ID: 510623ab65a740831fc510faacc2519166a482d048561c1785805dfc7f417c59
                                                                                              • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                                                                              • Instruction Fuzzy Hash: CF538A30D05259DFEF25CBA4C984BEDBBB4AF09308F1440D8D559AB292DB70AE85CF61
                                                                                              Function 6D059CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 6D059CE5
                                                                                                • Part of subcall function 6D02FC2A: __EH_prolog.LIBCMT ref: 6D02FC2F
                                                                                                • Part of subcall function 6D0316A6: __EH_prolog.LIBCMT ref: 6D0316AB
                                                                                                • Part of subcall function 6D059A0E: __EH_prolog.LIBCMT ref: 6D059A13
                                                                                                • Part of subcall function 6D059837: __EH_prolog.LIBCMT ref: 6D05983C
                                                                                                • Part of subcall function 6D05D143: __EH_prolog.LIBCMT ref: 6D05D148
                                                                                                • Part of subcall function 6D05D143: ctype.LIBCPMT ref: 6D05D16C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog$ctype
                                                                                              • String ID:
                                                                                              • API String ID: 1039218491-3916222277
                                                                                              • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                                                                              • Instruction ID: b8c6d02636b74d730d67c2367b371d2d0990cb7ec48cb0c266c3945c33f745cd
                                                                                              • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                                                                              • Instruction Fuzzy Hash: 6003DF30809249DFEF15CFA4CA40BECBBB0AF15308F2580DAD94567291DB74AB99DF61
                                                                                              Function 6D0AF580 Relevance: 5.2, Strings: 4, Instructions: 153COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 3J$`/J$`1J$p0J
                                                                                              • API String ID: 0-2826663437
                                                                                              • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                                                                              • Instruction ID: c0381a4e40b5254e3e57893673bd5fe82e479604b385e8708316c388a04ff116
                                                                                              • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                                                                              • Instruction Fuzzy Hash: 9E410872F109200AF348CE7A8C856667FC3C7C9346B4AC23DD5A5C76D9DABDC40782A8
                                                                                              Function 6D083A52 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1212COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: W
                                                                                              • API String ID: 3519838083-655174618
                                                                                              • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                                                                              • Instruction ID: 1323b92561c76de6710f0c5158f4c6a7fcb7dd42d354d487ea9a9ca24e15c3da
                                                                                              • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                                                                              • Instruction Fuzzy Hash: 5AB24974A0425AEFEF11CFA8C484BAEBBF9BF49304F148099E845EB252C775D941CB61
                                                                                              Function 6D003871 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6D003969
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6D003973
                                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6D003980
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                              • String ID:
                                                                                              • API String ID: 3906539128-0
                                                                                              • Opcode ID: 4d732fce5ced49a24d2579bd856172279917740923874e95bb03f0477016c029
                                                                                              • Instruction ID: 2c8ea78c96d7ff9819f96101a8cb1b19bf5d635d5c4f92831c35474c5f34cbed
                                                                                              • Opcode Fuzzy Hash: 4d732fce5ced49a24d2579bd856172279917740923874e95bb03f0477016c029
                                                                                              • Instruction Fuzzy Hash: DC31B274D01219ABDB61DF68D888BDDBBB4BF08314F6045EAE41CA7250E7709B858F44
                                                                                              Function 6D00286D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(?,?,6D002925,?,?,?,?), ref: 6D00288F
                                                                                              • TerminateProcess.KERNEL32(00000000,?,6D002925,?,?,?,?), ref: 6D002896
                                                                                              • ExitProcess.KERNEL32 ref: 6D0028A8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                              • String ID:
                                                                                              • API String ID: 1703294689-0
                                                                                              • Opcode ID: 89d931ce3ea639679cf8ecf0555ec7f6ec8840779d3893e4b3e3d8ff5493fd38
                                                                                              • Instruction ID: a0000e61ea02cb63e348762429081af221c8f0f3785d3cee2183a3a3ce7632c1
                                                                                              • Opcode Fuzzy Hash: 89d931ce3ea639679cf8ecf0555ec7f6ec8840779d3893e4b3e3d8ff5493fd38
                                                                                              • Instruction Fuzzy Hash: 2CE04631802108BBEF126F20C808B6C3BB8FB85751B210424F90886520CB36E882CB90
                                                                                              Function 6D0725EC Relevance: 4.5, APIs: 1, Strings: 1, Instructions: 995COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-3916222277
                                                                                              • Opcode ID: 6283ffce90d7722d82f06bf6062908a4dbdb23c6aa848be1631664cf1bbb550b
                                                                                              • Instruction ID: 355f05945b8c02dc807b57ec0d4d8e4ad30b5d8026545d402f3fff05bfa81f54
                                                                                              • Opcode Fuzzy Hash: 6283ffce90d7722d82f06bf6062908a4dbdb23c6aa848be1631664cf1bbb550b
                                                                                              • Instruction Fuzzy Hash: 8292913090524ADFEB25CFA8C854BAEBBF1BF09304F158099E815AF291CB71ED45CB65
                                                                                              Function 6D084F11 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 511COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-3916222277
                                                                                              • Opcode ID: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                                                                                              • Instruction ID: 68d5d5166db6b3af9ea2692a3263cccf29e8abea86a7f68f6b7552446a4b3d32
                                                                                              • Opcode Fuzzy Hash: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                                                                                              • Instruction Fuzzy Hash: B3225874A04209AFEF04CFA8C494BADBBF5FF08314F108569E85A9B282D774E945CF90
                                                                                              Function 6D077896 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 333COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 6D07789B
                                                                                                • Part of subcall function 6D078FC9: __EH_prolog.LIBCMT ref: 6D078FCE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: @ K
                                                                                              • API String ID: 3519838083-4216449128
                                                                                              • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                                                                              • Instruction ID: 63d01f08024d523cb10773b2c49bc50774c83dd0cba1be1dfae9e78a92916e7e
                                                                                              • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                                                                              • Instruction Fuzzy Hash: DBD1CF70E0424A9BFB25CFA8C490BEDB7F6FBC8394F21806AD505AF285C7709941CB59
                                                                                              Function 6D02BEA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: x=J
                                                                                              • API String ID: 3519838083-1497497802
                                                                                              • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                                                                              • Instruction ID: 5a7427fd44fd0778a9cfde7642d5b356ef9540564320f2eeefea69260182920e
                                                                                              • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                                                                              • Instruction Fuzzy Hash: 7F912331C0A21ADBEF08CFA4C891BEDB7B1FF06308F11806AD95167151DB319E86CB98
                                                                                              Function 6CFFA133 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6CFFAFA0
                                                                                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CFFB7C3
                                                                                                • Part of subcall function 6CFFCA69: RaiseException.KERNEL32(E06D7363,00000001,00000003,6CFFB7AC,00000000,?,?,?,6CFFB7AC,?,6D02853C), ref: 6CFFCAC9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                                                                                              • String ID:
                                                                                              • API String ID: 915016180-0
                                                                                              • Opcode ID: 79ad0e1e01f74399d064b881d587235069994627e7864bf92762fed6808aa4a6
                                                                                              • Instruction ID: 6b086c653d6679a99a6aa07a7fe077e8c48a4ac55dc2b5a58cd198e00833c614
                                                                                              • Opcode Fuzzy Hash: 79ad0e1e01f74399d064b881d587235069994627e7864bf92762fed6808aa4a6
                                                                                              • Instruction Fuzzy Hash: 93B1CD72D056089FDB08DF65D88179EBBF1FB89318F60852AD825E77A0D334A646CF90
                                                                                              Function 6D095521 Relevance: 2.6, APIs: 1, Instructions: 1105COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                                                                              • Instruction ID: e2bffb1c635ccf2f1e7fbb3a62212e29369c4d493aecc20fe4a93eb575e39b49
                                                                                              • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                                                                              • Instruction Fuzzy Hash: 19B2CF30A04749CFEB21CF69C494BAEBBF1BF09304F509099D59AAF281D770A985DF81
                                                                                              Function 6D02B972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: @4J$DsL
                                                                                              • API String ID: 0-2004129199
                                                                                              • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                                                                              • Instruction ID: b74f17c94e298cd603624543d4cf6b9473a5f4b862f9f9b4ab87165b069bf802
                                                                                              • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                                                                              • Instruction Fuzzy Hash: C0216F376A49564BE74CCA28DC33BBD6680E749305B89527DE94BCB3D1DE6D8800C649
                                                                                              Function 6D04840A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 6D04840F
                                                                                                • Part of subcall function 6D049137: __EH_prolog.LIBCMT ref: 6D04913C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                                                                              • Instruction ID: a8aa4bf199e03a0dd9bf18db28aa6d0e3f0cd5e7600e9709ebfce1f550049bc8
                                                                                              • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                                                                              • Instruction Fuzzy Hash: D6625971D0425ADFEF15CFA4C894BEDBBB1BF48304F11886AE915AB280D7B49A41CF91
                                                                                              Function 6D0A0AD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: YA1
                                                                                              • API String ID: 0-613462611
                                                                                              • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                                                                              • Instruction ID: ac21284d8c34bde8a7939f1e91eb31258f8b766bc03eb955fcb5d9bc6a702841
                                                                                              • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                                                                              • Instruction Fuzzy Hash: DF42D27060C3858FE315CF69C4907AABBE2BFD9304F19896DE8D68B346D671D906CB42
                                                                                              Function 6D0C67C0 Relevance: 1.9, APIs: 1, Instructions: 356COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: __aulldiv
                                                                                              • String ID:
                                                                                              • API String ID: 3732870572-0
                                                                                              • Opcode ID: a13d6ee194fb01fface67b9907b125463793f568477540394d21f6f384e52076
                                                                                              • Instruction ID: 17257fe6f72e8af76ba217bdf35aa5d8f0cbf6c5318bcf03bfa65ea1b5b513de
                                                                                              • Opcode Fuzzy Hash: a13d6ee194fb01fface67b9907b125463793f568477540394d21f6f384e52076
                                                                                              • Instruction Fuzzy Hash: 5CE17B716083458BE724CF29C880BAEB7F5FFC8314F508A2EE9598B365D7709945CB92
                                                                                              Function 6D07AD43 Relevance: 1.8, APIs: 1, Instructions: 346COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                                                                              • Instruction ID: 52168855b2448dfec27ba9a87f0d515d23b825f448e52ecfcbc615b1775e5981
                                                                                              • Opcode Fuzzy Hash: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                                                                              • Instruction Fuzzy Hash: AEF15870A0424ADFEB24CFA8C590BADBBF1FF04308F25806DD519AB251D770AA95CF55
                                                                                              Function 6D033BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: __aullrem
                                                                                              • String ID:
                                                                                              • API String ID: 3758378126-0
                                                                                              • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                                                                              • Instruction ID: 9388d0271bbceec648595e729d0638dcd8a34f5e299c9cac97bf44a871653909
                                                                                              • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                                                                              • Instruction Fuzzy Hash: 9E51F871A082559BE710CF5EC4C03EDFBE6EF7D214F15C05EE88897242D27A498AC760
                                                                                              Function 6D0ACE80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID: 0-3916222277
                                                                                              • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                                                                              • Instruction ID: f49150a2eb79b83b0cceb98ce9ffafaf1c8458cf2791ce00a5a8c4d14e1e54f3
                                                                                              • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                                                                              • Instruction Fuzzy Hash: E902D0316083528BE725CF68C4907AEBBE2BFC8344F194A2DE8C597352E774D945CB92
                                                                                              Function 6D107A46 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: B
                                                                                              • API String ID: 0-1255198513
                                                                                              • Opcode ID: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                                                                                              • Instruction ID: 1bb217a594a7b50d3b26c2885553679cdc4afbb6df0bf90e4737dc5c8b9d713a
                                                                                              • Opcode Fuzzy Hash: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                                                                                              • Instruction Fuzzy Hash: CA3126315087558BD314DF28D884AABB3E2FBC4325F60CA3ED89ACBA94E7745415CB41
                                                                                              Function 6D09DB90 Relevance: .9, Instructions: 940COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                                                                              • Instruction ID: 4edb7914374b541c438da19b52d875749f29ef020ca79cd9b61c5626382f0aaa
                                                                                              • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                                                                              • Instruction Fuzzy Hash: 86725AB1A042178FE748CF18C490268FBE1FB89310B5556ADD95ADF342EB70E895DBC0
                                                                                              Function 6D0BD930 Relevance: .7, Instructions: 740COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                                                                              • Instruction ID: 9f57f7b910d6d663e401547898f599f96c8157ae607c8649b3294433c03eb4e6
                                                                                              • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                                                                              • Instruction Fuzzy Hash: 2862E3B1A0C3468FD714CF19C48062AFBE6BFC8744F508A6EE99A87315D772E845CB52
                                                                                              Function 6D0BB950 Relevance: .7, Instructions: 697COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                                                                              • Instruction ID: 300cf014d1bc771a90a580b1dfdba5f9d4c6e7c644fd488a616a4561e3e69e8d
                                                                                              • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                                                                              • Instruction Fuzzy Hash: 7D427D31608B068FE328CF79C8907AAB7E2FB88314F444A2DE996C7794E775E545CB41
                                                                                              Function 6D0AA1F0 Relevance: .6, Instructions: 634COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bf70cfe04b665dc64369caa9c5f3f6957600806d567f090f737c69cac13e6594
                                                                                              • Instruction ID: dcab5149798aba12a953210f6be057bc5f5e2241f0b574d399e17586f98b6a55
                                                                                              • Opcode Fuzzy Hash: bf70cfe04b665dc64369caa9c5f3f6957600806d567f090f737c69cac13e6594
                                                                                              • Instruction Fuzzy Hash: 6932B571A0024A8BEB04CF58C890AEE7BA2FF88344F69853DEC55DB382D770D955CB90
                                                                                              Function 6D0A6D50 Relevance: .5, Instructions: 547COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                                                                              • Instruction ID: 181e81eda5ac6ff7e067e89e2bcd85eb3a3b5637016b68a14dc90e871e592968
                                                                                              • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                                                                              • Instruction Fuzzy Hash: 6612B0716087428FD718CFA8C49076AFBE2BFC8344F58892DE99687746D731E845CB91
                                                                                              Function 6D0B7AA0 Relevance: .5, Instructions: 474COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                                                                              • Instruction ID: d810f9631e896a801400e8f61d6878c5d7d15090e613f4b00ee448a82eb9380d
                                                                                              • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                                                                              • Instruction Fuzzy Hash: 0502E732E0C3128BE319CE28C4D036DBBF2FBC8355F154A2EE49697694D7759944CB92
                                                                                              Function 6D0A2A50 Relevance: .5, Instructions: 453COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                                                                              • Instruction ID: 36d51316a736db8b6332b76b678ed2f135bdd64a426aefd4a3ee8abb80585147
                                                                                              • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                                                                              • Instruction Fuzzy Hash: 32F1F1326082898FEB38CE69D8507EEB7E2FBC5300F584539D989CB742DB35954AC791
                                                                                              Function 6D0A9D10 Relevance: .4, Instructions: 429COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                                                                              • Instruction ID: fd7c1b3525212c34f76cd379b318edf8b326b62303b9dbe8270f6f7b26a55a1d
                                                                                              • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                                                                              • Instruction Fuzzy Hash: 9AE1D131704B054BE724CF68E4607ABB7E2EBC4310FA8492DC59687782DB76E54ACB91
                                                                                              Function 6D0C1BC0 Relevance: .4, Instructions: 399COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                                                                              • Instruction ID: 0f25c49ccdcd82970b692d7f6a59c18b950f88b1d2d7f4da0c33aa59113f46e6
                                                                                              • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                                                                              • Instruction Fuzzy Hash: 2CF1BE70608B518FD329CF2DD49036AFBE2BF89304F148A6EE1D68B691D339E554CB52
                                                                                              Function 6D0BF8D0 Relevance: .4, Instructions: 383COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                                                                              • Instruction ID: 5a77ee60cc21987cb736d18c284df301f05ea101279974e950cab479d53d36a9
                                                                                              • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                                                                              • Instruction Fuzzy Hash: 43F1DD70508B628BD329CF29C49032AFFF6BF89304F148A2ED5D68B691D37AE155CB51
                                                                                              Function 6D0A9900 Relevance: .3, Instructions: 341COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                                                                              • Instruction ID: fe3b5e4456b476488211cd8f998994291da0456c5b209e24045b7482996aa5e6
                                                                                              • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                                                                              • Instruction Fuzzy Hash: 19C1C471704B068BE328CF6DD4906ABB7E2FBD8310F998A2DC19787746D771A495CB80
                                                                                              Function 6D0B25C0 Relevance: .3, Instructions: 333COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                                                                              • Instruction ID: 80082de31f8375b3631b715d87be835854cd016f3dc1937175efdf43fe750324
                                                                                              • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                                                                              • Instruction Fuzzy Hash: 1ED112715086168FE329CF2CC49433ABBE1FF86300F054ABDDAA68B39AD7369515CB54
                                                                                              Function 6D144F0A Relevance: .3, Instructions: 332COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                                                                                              • Instruction ID: bda62d75a83bb3a99ebfc35ecf2767fc1b435e318e144d892719ed840ec0576e
                                                                                              • Opcode Fuzzy Hash: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                                                                                              • Instruction Fuzzy Hash: 2EB1A8366187128BD318DE7CD8508BB73E2EBC1320F55C63DE696C71C8DBB5951A8B81
                                                                                              Function 6D0A5580 Relevance: .3, Instructions: 316COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                                                                              • Instruction ID: 814780434a998abb27953cc137361af75cb382872e2d57e5ffb50ac24c5837ef
                                                                                              • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                                                                              • Instruction Fuzzy Hash: DAC1F5352087418BD719CF79D0A06ABBBE2FFD9314F188A6CC4CA4B756DA30A40ECB55
                                                                                              Function 6D0A1810 Relevance: .3, Instructions: 296COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                                                                              • Instruction ID: 3b44690b1da6ab96ba5aa61f59c5d2437a5b1b1224b50361b60c3309b8dc0fb3
                                                                                              • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                                                                              • Instruction Fuzzy Hash: 45B1C7313087064BF324DF79C890BEBB7E1AF95304F45452DD69A8B242EF75A509C792
                                                                                              Function 6D0A4AA0 Relevance: .3, Instructions: 291COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                                                                              • Instruction ID: 1a4df916a70ee7ab5eef5d602eb1bc837bb537c9a84702cd6b3706c3a9d8a545
                                                                                              • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                                                                              • Instruction Fuzzy Hash: B3B1AD756087028BC304DF69C8806ABF7E2FFCC304F18892DD59987316EB71A95ACB95
                                                                                              Function 6D0AC9F0 Relevance: .3, Instructions: 287COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                                                                              • Instruction ID: 7652ff1c7d853ccc167f2b79708cd7fa483bd35c7c37524c021194374cac2b17
                                                                                              • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                                                                              • Instruction Fuzzy Hash: 97A1183550C3418FE308CF59C4907AABBE1AFD9348F5A4A2EE4D687342D631E845CB4A
                                                                                              Function 6D0A75D0 Relevance: .2, Instructions: 224COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                                                                              • Instruction ID: b9f6931de3df11b7ec18c9ff81b8d9c3f7a6f6fc3454098f6b9ea5c5300d94aa
                                                                                              • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                                                                              • Instruction Fuzzy Hash: 1C6113B27082158FE308CFA9E580AA6B3E5EBD4321B1685BFD105CB366E771DC45C718
                                                                                              Function 6D0AC6E0 Relevance: .2, Instructions: 223COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                                                                              • Instruction ID: 20d4e4e7665d52e874fee67e2369598079ac0bfa108ca053c6039cfddbdbd152
                                                                                              • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                                                                              • Instruction Fuzzy Hash: 8281E239A047028FD320CF69C080296F7E1FF99704F29C96DC5999B312E772E946CB85
                                                                                              Function 6D0BB520 Relevance: .2, Instructions: 216COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                                                                              • Instruction ID: ed54fda3bc3d032c0abe41e7add79fd869c7b283819d651db1ce860fd5f1f4f5
                                                                                              • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                                                                              • Instruction Fuzzy Hash: 47916D7281871A8FD314CF18D88026AB7E0FB88318F45067DED9A97341D73AEA55CBD5
                                                                                              Function 6D163881 Relevance: .2, Instructions: 184COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                                                                                              • Instruction ID: 8a30f24faac3e1713dfe156c7b44f9c3b36dc5e72eea0a3b65c75e5a57155fd1
                                                                                              • Opcode Fuzzy Hash: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                                                                                              • Instruction Fuzzy Hash: 8F5199366166114BC70CDA3CD8619E73392EBD5370B19C73EE55AC75D8EB79940BC600
                                                                                              Function 6D043B66 Relevance: .2, Instructions: 167COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                                                                              • Instruction ID: 3ec187bf5bcf1700be3fced35382bfeacf098cf514f50cad30e2e554ec9ecd6b
                                                                                              • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                                                                              • Instruction Fuzzy Hash: 57517B72E4060ADBEB08CE98D991BEDB7F2EB88304F249179D516E7381D7759A41CB80
                                                                                              Function 6D1CB06F Relevance: .2, Instructions: 155COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                                                                                              • Instruction ID: 8b8e5a36f6a7842a2dc3e364d59b305d8e40b9d94ce4681da76eba5f7552289e
                                                                                              • Opcode Fuzzy Hash: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                                                                                              • Instruction Fuzzy Hash: 9F51563610C7068FC315DF6CE8509EAB3A1AFC5320F618B3EE495CB4D5EBB5512A8B46
                                                                                              Function 6D09E650 Relevance: .2, Instructions: 154COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a5df0ff16b053d8fcfcdee403e066c8bbf8aa7f46747348a699df34f7397b1a9
                                                                                              • Instruction ID: 606f9383d02238a3457c9457ad7a850aa3924fe1ea13f4c34305d4e7ef1b4fb5
                                                                                              • Opcode Fuzzy Hash: a5df0ff16b053d8fcfcdee403e066c8bbf8aa7f46747348a699df34f7397b1a9
                                                                                              • Instruction Fuzzy Hash: 3A516B34A093468BE710DF1DC88062AF7E1FF98748F204A6DE994DB212D771ED06DB92
                                                                                              Function 6D045EC9 Relevance: .1, Instructions: 136COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                                                                              • Instruction ID: b7b8996830c4eb7eb4dba00ba64c7ee42ab237f818f3b967c21aa89f28a66b41
                                                                                              • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                                                                              • Instruction Fuzzy Hash: 4631142B7A440243D70CC92BCC16BAF91A35BD422675ECB396D05CAF65D52CC8164145
                                                                                              Function 6D0B2050 Relevance: .1, Instructions: 123COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9e60619b53f5733759f851c7e89353584e6ca2cea002716f3001e8b4c6fadb46
                                                                                              • Instruction ID: f0c2141c78c55a8b910a2cfe2638ae193ab78d4b624e3e014a23b414c7b2fb9d
                                                                                              • Opcode Fuzzy Hash: 9e60619b53f5733759f851c7e89353584e6ca2cea002716f3001e8b4c6fadb46
                                                                                              • Instruction Fuzzy Hash: EB310B7351CA070BF3218939CD403AA72A3EBE6371F56DF24DB66972ECDA7394468141
                                                                                              Function 6D0B1EF0 Relevance: .1, Instructions: 123COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                                                                              • Instruction ID: 3ad08ae441d31b22695b714159ac80deefb6a815e6b31fc775ad2e9ede9fea22
                                                                                              • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                                                                              • Instruction Fuzzy Hash: 5E315B7351CA0B0AF311853AC94436B76A3EBC6374F65C325D9A6872EDCB739406C242
                                                                                              Function 6D17CB30 Relevance: .1, Instructions: 118COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a2e1bb41e8166e2749adda3299d4adc61e0061497923218ef127e0eb78f679d0
                                                                                              • Instruction ID: bf88fd181b931cc38f252301c978feaec181a6eee44bc722632430e277e30022
                                                                                              • Opcode Fuzzy Hash: a2e1bb41e8166e2749adda3299d4adc61e0061497923218ef127e0eb78f679d0
                                                                                              • Instruction Fuzzy Hash: B9419C72A4871A8FC304DE58EC804FAB3E6EFC8320F904B3D9866871D5D775691AC390
                                                                                              Function 6D0B9820 Relevance: .1, Instructions: 112COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                                                                              • Instruction ID: 0d68d8c2327eb50bcce6f326a9aa4312dda6818c78af335c877c5a0a6c7648b6
                                                                                              • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                                                                              • Instruction Fuzzy Hash: 2A41C372908B068BE704CF18C89067AB3E4FF99318F454A2DED5AA7351E735FA15CB81
                                                                                              Function 6D1D8D12 Relevance: .1, Instructions: 97COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                                                                                              • Instruction ID: 6c3d29ca82127aa21ebeb635e91e72ca4da8ea953fe2ffdaa4501b8ac7862380
                                                                                              • Opcode Fuzzy Hash: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                                                                                              • Instruction Fuzzy Hash: D9318831A187128BD729CA39D4500ABB3E3EFC5318B55CB3DC4568B199EBB5600BCB41
                                                                                              Function 6D0CC700 Relevance: .1, Instructions: 70COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                                                                              • Instruction ID: 19d583a932c7e3c5a980def6e770aab94f0f008b30360e4056ac677405db15d5
                                                                                              • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                                                                              • Instruction Fuzzy Hash: 8C219077320A0647E74C8A38D83737532D0A705318F98A22DEA6BCE2C2D73AC457C385
                                                                                              Function 6D0B0380 Relevance: .1, Instructions: 64COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 64767f10f9c171ab935b0bf025eacf772035bcd2eb799dcdd82e02b09b12ee02
                                                                                              • Instruction ID: 8b02adb0df81c01334d68466a22acbc2d95a78ea5c149f2f2b8dd446ad33bbe7
                                                                                              • Opcode Fuzzy Hash: 64767f10f9c171ab935b0bf025eacf772035bcd2eb799dcdd82e02b09b12ee02
                                                                                              • Instruction Fuzzy Hash: 912190327183428FC308DF59D88096BBBE6FFC9210F15857DE9848B351C635E906CB91
                                                                                              Function 6D0B0280 Relevance: .1, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 48f6a5bdde1c9cea4668397cf668c04db0f725afa69fc77866d080b4e5372864
                                                                                              • Instruction ID: 57c661a0213ed8fa5b500668cd0093d1fcde9252e75824f34275fa8b422805c7
                                                                                              • Opcode Fuzzy Hash: 48f6a5bdde1c9cea4668397cf668c04db0f725afa69fc77866d080b4e5372864
                                                                                              • Instruction Fuzzy Hash: 41118E723183464BD308CE1DDC90966BBE5FBC9200F24497DE985C7341C626D906DB95
                                                                                              Function 6D0C2640 Relevance: .0, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 94bd1a651729923c4c8d3d4bf4c81e233e4e8cf0a286e62590c7b03c1869421d
                                                                                              • Instruction ID: 328fcb8da35e251966976ad71fb12eb8a151b3874a0235f73c83a6178b4e94b5
                                                                                              • Opcode Fuzzy Hash: 94bd1a651729923c4c8d3d4bf4c81e233e4e8cf0a286e62590c7b03c1869421d
                                                                                              • Instruction Fuzzy Hash: 32011E6529628989E781DA79D490758FE80F756202F9CC3F4E0C8CBF42D999C54AC3A1
                                                                                              Function 6D00D456 Relevance: .0, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 497270bde6142aae34dc72f304c33c44bf00aa1479247d1212dd31d74b99a223
                                                                                              • Instruction ID: 33af39ea312693b9fa5de640b6d1914560614ed0e12eff72a59385c79f7c92ee
                                                                                              • Opcode Fuzzy Hash: 497270bde6142aae34dc72f304c33c44bf00aa1479247d1212dd31d74b99a223
                                                                                              • Instruction Fuzzy Hash: 1BF03071A14224ABEB12CB49D445F9973B8EB45BA5F214056E5419B540C7B0ED40C7E0
                                                                                              Function 6D00D425 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                                                                              • Instruction ID: 07b390dc95cb4750362a8fbd0dba7070114ceb131d10d3ea228d23293a8f0e3c
                                                                                              • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                                                                              • Instruction Fuzzy Hash: DCE08C32912638FBDB10CB88D904F8AF3ECEB85B10B1100A6F605D3500C270EE00C7E0
                                                                                              Function 6D0CA700 Relevance: .0, Instructions: 13COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                                                                                              • Instruction ID: 9e775abeed684ca77467d17cca6977048c68fff2285a19e0a564aa4dd6adc1c9
                                                                                              • Opcode Fuzzy Hash: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                                                                                              • Instruction Fuzzy Hash: 27C002F6609606AF970CCF1FA480415FBE9FAD8321324C23FA02DC3700C77198258B64
                                                                                              Function 6D061B50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                                                                              • API String ID: 3519838083-609671
                                                                                              • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                                                                              • Instruction ID: e4c9e878a38d240d66dbdb2f108de05f892252f76c03370c79ad75464f64d6c9
                                                                                              • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                                                                              • Instruction Fuzzy Hash: C8D18E71A0828AEFEB01CFA4D990BEEB7B5FF49314F108429E556A3150DB70A944CB76
                                                                                              Function 6D08ABB3 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 406COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: L$L'K$T'K$\'K$d'K$p'K$)K
                                                                                              • API String ID: 3519838083-3887797823
                                                                                              • Opcode ID: 47b27f50cc51f1a94238cd0256452db9f2d92a2e889979d702001e9d19a1f323
                                                                                              • Instruction ID: 12d39ddcd46a3872413fcd85e98ca253f41ad4e77ffc7f09df29b7d78a9f894f
                                                                                              • Opcode Fuzzy Hash: 47b27f50cc51f1a94238cd0256452db9f2d92a2e889979d702001e9d19a1f323
                                                                                              • Instruction Fuzzy Hash: 7B02D27090524ADFEF21CF54C890BEDBBF1BF05304F6481AAD156A7A92D730AA85CF61
                                                                                              Function 6D078B6F Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 151COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 6D078B74
                                                                                                • Part of subcall function 6D078AC2: __EH_prolog.LIBCMT ref: 6D078AC7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: DJ$H K$L K$P K$T K$X K$\ K
                                                                                              • API String ID: 3519838083-3148776506
                                                                                              • Opcode ID: 1e695b17fc03ab30503818bc101f4fbde075140751d540bd7eda0f269636307e
                                                                                              • Instruction ID: 8ee8efb7a5e302a5524e9e6357bf1d9f6c8fe184b8a434090b3987f97eab2dc3
                                                                                              • Opcode Fuzzy Hash: 1e695b17fc03ab30503818bc101f4fbde075140751d540bd7eda0f269636307e
                                                                                              • Instruction Fuzzy Hash: E851C370D0414A9BEF25DBA4C480BFEB3B2AF51318F11C51ADE656F280DB749D05C7A9
                                                                                              Function 6D076CB2 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 347COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: $ $$ K$, K$.$o
                                                                                              • API String ID: 3519838083-1786814033
                                                                                              • Opcode ID: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                                                                              • Instruction ID: d7a6a39c92046e6b4c6a9a26e50716dd14fda9e00c7fea962cd7d14e3a582acc
                                                                                              • Opcode Fuzzy Hash: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                                                                              • Instruction Fuzzy Hash: 7FD1C231D0825A8FEB21CFA8C8907EEBBF2FF49304F648569C456AF241C7715944CBA5
                                                                                              Function 6CFFD1C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _ValidateLocalCookies.LIBCMT ref: 6CFFD1F7
                                                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 6CFFD1FF
                                                                                              • _ValidateLocalCookies.LIBCMT ref: 6CFFD288
                                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 6CFFD2B3
                                                                                              • _ValidateLocalCookies.LIBCMT ref: 6CFFD308
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                              • String ID: csm
                                                                                              • API String ID: 1170836740-1018135373
                                                                                              • Opcode ID: 823733ed318543c031c40f9528c4f9d0e5e2b0f74c5fa36e09d42d000e951208
                                                                                              • Instruction ID: 06d0941d5e5baa30586d15b132dc6502da0c33db2be36775499e36901bc95a54
                                                                                              • Opcode Fuzzy Hash: 823733ed318543c031c40f9528c4f9d0e5e2b0f74c5fa36e09d42d000e951208
                                                                                              • Instruction Fuzzy Hash: B241AD34E04208ABDF00CF68C880B9E7BB5EF45328F208155E928AB7A1D735DA07CBD1
                                                                                              Function 6D00A58A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: api-ms-$ext-ms-
                                                                                              • API String ID: 0-537541572
                                                                                              • Opcode ID: d984a7688fd8b312c79db0b27b2d6e5eb4358dbc943fc765da5aa90e101564c6
                                                                                              • Instruction ID: 877c1bc456212631a5d3bbfe0431372c928d3da1c6b0ddf9b14bd29ae91759ec
                                                                                              • Opcode Fuzzy Hash: d984a7688fd8b312c79db0b27b2d6e5eb4358dbc943fc765da5aa90e101564c6
                                                                                              • Instruction Fuzzy Hash: C521AB72D05211F7FB124B688C45F6A37F8AB56764F354518E915A7281DB30D90186E0
                                                                                              Function 6D00F5A1 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetConsoleCP.KERNEL32(?,6D00E7C0,?), ref: 6D00F5E9
                                                                                              • __fassign.LIBCMT ref: 6D00F7C8
                                                                                              • __fassign.LIBCMT ref: 6D00F7E5
                                                                                              • WriteFile.KERNEL32(?,6D0191A6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D00F82D
                                                                                              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6D00F86D
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D00F919
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileWrite__fassign$ConsoleErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 4031098158-0
                                                                                              • Opcode ID: 212a95316a43ef64fa23f31821d73655b9cdd93425a6d70035bce856446a0c49
                                                                                              • Instruction ID: ea7833f6ff99649c3436b9d63d4fbe2f02883913e8fc2810f736e86f384ef4c6
                                                                                              • Opcode Fuzzy Hash: 212a95316a43ef64fa23f31821d73655b9cdd93425a6d70035bce856446a0c49
                                                                                              • Instruction Fuzzy Hash: 8ED1BA71D04249AFEF11CFA8C880AEDBFB9FF49314F24416AE855BB241D730AA46CB54
                                                                                              Function 6CEC2F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 6CEC2F95
                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 6CEC2FAF
                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6CEC2FD0
                                                                                              • __Getctype.LIBCPMT ref: 6CEC3084
                                                                                              • std::_Facet_Register.LIBCPMT ref: 6CEC309C
                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6CEC30B7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                                                                              • String ID:
                                                                                              • API String ID: 1102183713-0
                                                                                              • Opcode ID: bc45dc03d2bdd6a28956e629f475811c7e1f10089e029ba787e71fc6230a97a2
                                                                                              • Instruction ID: 09354999b6049d2c7980896b6df4312323fd56cb32a59f0ae56f7ea2433bdf49
                                                                                              • Opcode Fuzzy Hash: bc45dc03d2bdd6a28956e629f475811c7e1f10089e029ba787e71fc6230a97a2
                                                                                              • Instruction Fuzzy Hash: D74189B2E002188FDB10CF88D955BDEB7F0FF88718F244128D869AB750E775A905CB92
                                                                                              Function 6D037FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: __aulldiv$__aullrem
                                                                                              • String ID:
                                                                                              • API String ID: 2022606265-0
                                                                                              • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                                                                              • Instruction ID: 14535e398cc73ddd04ef520f1727c0f2d59a109421b1a6d200d4846da6781b30
                                                                                              • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                                                                              • Instruction Fuzzy Hash: F221937094422AFEFF508E95CC40FDF7A69EF457A4F318265B624A2190D2718D60D662
                                                                                              Function 6CEC28E0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 176COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___std_exception_destroy.LIBVCRUNTIME ref: 6CEC2A76
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: ___std_exception_destroy
                                                                                              • String ID: U#l$q!l$Jbx$Jbx
                                                                                              • API String ID: 4194217158-3524890302
                                                                                              • Opcode ID: fae178673c11042cb2a148f0551d37ad34902c5096755cae71d304fcdb01155a
                                                                                              • Instruction ID: 3cde675d83b667849c09c4101c83c04ab0d443687f27f4dfc540da2f93e88c77
                                                                                              • Opcode Fuzzy Hash: fae178673c11042cb2a148f0551d37ad34902c5096755cae71d304fcdb01155a
                                                                                              • Instruction Fuzzy Hash: EA5125B1A002008FDB14CF58C98469EBBB5EF99308F25856DE8699B740E331D995CF92
                                                                                              Function 6D0190FD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 6D0191CD
                                                                                              • _free.LIBCMT ref: 6D0191F6
                                                                                              • SetEndOfFile.KERNEL32(00000000,6D017DDC,00000000,6D00E7C0,?,?,?,?,?,?,?,6D017DDC,6D00E7C0,00000000), ref: 6D019228
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6D017DDC,6D00E7C0,00000000,?,?,?,?,00000000,?), ref: 6D019244
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFileLast
                                                                                              • String ID: 8Q
                                                                                              • API String ID: 1547350101-4022487301
                                                                                              • Opcode ID: 69bdfd2bdd3ee3771a0c81a98e57a78afd8f1ffe1ac981432ceac3233a3a30f3
                                                                                              • Instruction ID: ab1da7acef7bef56ee0dc83b3b0292525460fcd464bd9b11152b9451f48e05a4
                                                                                              • Opcode Fuzzy Hash: 69bdfd2bdd3ee3771a0c81a98e57a78afd8f1ffe1ac981432ceac3233a3a30f3
                                                                                              • Instruction Fuzzy Hash: 4641C63290C606BBFB129BF8DC44B9E7BB9AF4D324F164514EA34E7290EB35D8814761
                                                                                              Function 6D08684E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 6D086853
                                                                                                • Part of subcall function 6D0865DF: __EH_prolog.LIBCMT ref: 6D0865E4
                                                                                                • Part of subcall function 6D086943: __EH_prolog.LIBCMT ref: 6D086948
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: ((K$<(K$L(K$\(K
                                                                                              • API String ID: 3519838083-3238140439
                                                                                              • Opcode ID: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                                                                                              • Instruction ID: 5b246591bf5f53128254a5e0935460744d7408f4b4eb00893bd517b247b906ff
                                                                                              • Opcode Fuzzy Hash: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                                                                                              • Instruction Fuzzy Hash: 21215CB0905B40DEDB24DF6AC54469BFBF4BF50308F518A1F809687751DBF46608CBA5
                                                                                              Function 6D051418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 6D05141D
                                                                                                • Part of subcall function 6D051E40: __EH_prolog.LIBCMT ref: 6D051E45
                                                                                                • Part of subcall function 6D0518EB: __EH_prolog.LIBCMT ref: 6D0518F0
                                                                                                • Part of subcall function 6D051593: __EH_prolog.LIBCMT ref: 6D051598
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: &qB$0aJ$A0$XqB
                                                                                              • API String ID: 3519838083-1326096578
                                                                                              • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                                                                              • Instruction ID: f84213c70f34d78c58954dc9f1a20235caddd0b5c1ff6174a29598e11e22f000
                                                                                              • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                                                                              • Instruction Fuzzy Hash: 1B21BE70D09258EEEF04DFE4D980AEDBBB4AF25308F21006DD51273281DB784E08CB61
                                                                                              Function 6D00281A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6D0028A4,?,?,6D002925,?,?,?), ref: 6D00282F
                                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6D002842
                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,6D0028A4,?,?,6D002925,?,?,?), ref: 6D002865
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                              • API String ID: 4061214504-1276376045
                                                                                              • Opcode ID: 008b5df99287f33287cfe7a89267a6f4ccce6eb6fbc78d80e746e2a0e152e286
                                                                                              • Instruction ID: 216cc9d24f443eabae57d0cb28928ebc14a2161246ab789bc2a0a791f7b7194a
                                                                                              • Opcode Fuzzy Hash: 008b5df99287f33287cfe7a89267a6f4ccce6eb6fbc78d80e746e2a0e152e286
                                                                                              • Instruction Fuzzy Hash: 01F08C34A12519FBFF119B61DC09BAEBBB8EB4135AF200068A804B20A1CF308A01DB90
                                                                                              Function 6CFFAA17 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6CFFAA1E
                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 6CFFAA29
                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6CFFAA97
                                                                                                • Part of subcall function 6CFFA920: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6CFFA938
                                                                                              • std::locale::_Setgloballocale.LIBCPMT ref: 6CFFAA44
                                                                                              • _Yarn.LIBCPMT ref: 6CFFAA5A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                              • String ID:
                                                                                              • API String ID: 1088826258-0
                                                                                              • Opcode ID: c986dcd71e9db5d3ca78c68326af722f9a0544be2b65ffa49f361147212a76ec
                                                                                              • Instruction ID: 8fda4ef3f99496c4c6f52a6ee993cc783a607d181f2f7bc652011e0764e8ba06
                                                                                              • Opcode Fuzzy Hash: c986dcd71e9db5d3ca78c68326af722f9a0544be2b65ffa49f361147212a76ec
                                                                                              • Instruction Fuzzy Hash: 5F018F79A112119FDB06DF20D940BBD7BF1FFD5244B290048D82157794EF74AA0BCB92
                                                                                              Function 6D079E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: $!$@
                                                                                              • API String ID: 3519838083-2517134481
                                                                                              • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                                                                              • Instruction ID: ecd4b6f3dfae47cdaf08f715d2a0ba8ed186aeb4cebb9f93b58551aab466b351
                                                                                              • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                                                                              • Instruction Fuzzy Hash: F0125D7090924ADFEB24CFA4D490BEEBBB1BF09308F248469E549AF251D735E941CB64
                                                                                              Function 6D045B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog__aulldiv
                                                                                              • String ID: $SJ
                                                                                              • API String ID: 4125985754-3948962906
                                                                                              • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                                                                              • Instruction ID: f9bdce0b5c71849ece43044d138be409707d0b73c7baf1d292782e2cdc18f1d7
                                                                                              • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                                                                              • Instruction Fuzzy Hash: 02B10BB5D0420ADFEB24CFA5C994AAEBBF1FF48314B61C53ED516A7250D730AA41CB90
                                                                                              Function 6CEC2020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 6CFFAA17: __EH_prolog3.LIBCMT ref: 6CFFAA1E
                                                                                                • Part of subcall function 6CFFAA17: std::_Lockit::_Lockit.LIBCPMT ref: 6CFFAA29
                                                                                                • Part of subcall function 6CFFAA17: std::locale::_Setgloballocale.LIBCPMT ref: 6CFFAA44
                                                                                                • Part of subcall function 6CFFAA17: _Yarn.LIBCPMT ref: 6CFFAA5A
                                                                                                • Part of subcall function 6CFFAA17: std::_Lockit::~_Lockit.LIBCPMT ref: 6CFFAA97
                                                                                                • Part of subcall function 6CEC2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6CEC2F95
                                                                                                • Part of subcall function 6CEC2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6CEC2FAF
                                                                                                • Part of subcall function 6CEC2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6CEC2FD0
                                                                                                • Part of subcall function 6CEC2F60: __Getctype.LIBCPMT ref: 6CEC3084
                                                                                                • Part of subcall function 6CEC2F60: std::_Facet_Register.LIBCPMT ref: 6CEC309C
                                                                                                • Part of subcall function 6CEC2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6CEC30B7
                                                                                              • std::ios_base::_Addstd.LIBCPMT ref: 6CEC211B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                                                                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                              • API String ID: 3332196525-1866435925
                                                                                              • Opcode ID: d7f32bcb1d3f923ae865b599b0d0bdad0dd57049e25cf07b97d424448d727f5c
                                                                                              • Instruction ID: a1b42367bf12d574db41b17fc44a35e526eea7c4a5853c61844f61d4f8df8d12
                                                                                              • Opcode Fuzzy Hash: d7f32bcb1d3f923ae865b599b0d0bdad0dd57049e25cf07b97d424448d727f5c
                                                                                              • Instruction Fuzzy Hash: AF41C6B1E013098FDB04CF64C9457AEBBB0FF48318F205268E525AB791E7759985CF91
                                                                                              Function 6D060584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: 0$LrJ$x
                                                                                              • API String ID: 3519838083-658305261
                                                                                              • Opcode ID: 95611479d40a215ec944db407e0a8f4bd880271165c87792ba86edb23d6a866c
                                                                                              • Instruction ID: f51750cb1a42629d616239f4f00b64b72f8b4dae7465c327f6fadeb385759226
                                                                                              • Opcode Fuzzy Hash: 95611479d40a215ec944db407e0a8f4bd880271165c87792ba86edb23d6a866c
                                                                                              • Instruction Fuzzy Hash: 3E215B32D46119DAEF05CBD8C990BEEB7B5EF98208F21015AE50177240DB759E04CBA5
                                                                                              Function 6D057EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 6D057ECC
                                                                                                • Part of subcall function 6D04258A: __EH_prolog.LIBCMT ref: 6D04258F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: :hJ$dJ$xJ
                                                                                              • API String ID: 3519838083-2437443688
                                                                                              • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                                                                              • Instruction ID: 6e31200eb9fd82c2dec6976809ff93d04a2bff35efc28817bca2ded77c67731b
                                                                                              • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                                                                              • Instruction Fuzzy Hash: 4D21E9B0805B40CFD760CF6AC14424ABBF4FF69708B00C96EC1AA97B11D7B8A609CF95
                                                                                              Function 6D00E480 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFilePointerEx.KERNEL32(00000000,?,00000000,6D00E7C0,6CEC1DEA,00008000,6D00E7C0,?,?,?,6D00E36F,6D00E7C0,?,00000000,6CEC1DEA), ref: 6D00E4B9
                                                                                              • GetLastError.KERNEL32(?,?,?,6D00E36F,6D00E7C0,?,00000000,6CEC1DEA,?,6D017D8E,6D00E7C0,000000FF,000000FF,00000002,00008000,6D00E7C0), ref: 6D00E4C3
                                                                                              • __dosmaperr.LIBCMT ref: 6D00E4CA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLastPointer__dosmaperr
                                                                                              • String ID: 8Q
                                                                                              • API String ID: 2336955059-4022487301
                                                                                              • Opcode ID: 810131245c4092f0cf18c30deb158ddbd7f767314e448485f900efacc68f3deb
                                                                                              • Instruction ID: 7f4737a861b65e85a505530141ab119f572bfa33b6939d03cf4678da25365735
                                                                                              • Opcode Fuzzy Hash: 810131245c4092f0cf18c30deb158ddbd7f767314e448485f900efacc68f3deb
                                                                                              • Instruction Fuzzy Hash: 2301D832614515BBFB068F69CC44E9D3B7DEBC6334B354218E911EB290EB71D9418751
                                                                                              Function 6D0761B5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 6D0761BA
                                                                                                • Part of subcall function 6D076269: __EH_prolog.LIBCMT ref: 6D07626E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: J$0J$DJ
                                                                                              • API String ID: 3519838083-3152824450
                                                                                              • Opcode ID: ae61c101c46c5c8fb0edf6ab07ecac335665618d15e9b15e4cd2ad5cdca4aa88
                                                                                              • Instruction ID: 978279f2c041cc9f7cf3e991aee699c60fd0cc8054b1715269d52f7156aec5d5
                                                                                              • Opcode Fuzzy Hash: ae61c101c46c5c8fb0edf6ab07ecac335665618d15e9b15e4cd2ad5cdca4aa88
                                                                                              • Instruction Fuzzy Hash: FB11F3B0905750CFC320CF5AC498696FBE0BB25304F90C8AE90AA47611C7B4A908CBA4
                                                                                              Function 6D04ED0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: <J$DJ$HJ$TJ$]
                                                                                              • API String ID: 0-686860805
                                                                                              • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                                                                              • Instruction ID: c5588f1261c813f71a58982becac33ce089e28c7fd8a103cc53c1bf3ef8bbf41
                                                                                              • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                                                                              • Instruction Fuzzy Hash: C841A330C0929AEBEF14DBA1D490EFFB7B0AF51304B51C47DD621A7050EB75AA49CB51
                                                                                              Function 6D09C300 Relevance: 6.3, Strings: 5, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ,3K$,3K@3KP3K$@3K$P3K$p3K
                                                                                              • API String ID: 0-3393562052
                                                                                              • Opcode ID: 56e76445033a99da05fe192590a15bb20ec13d4a39ad9bab330bef12182d4e5a
                                                                                              • Instruction ID: c6f287f74958fe685685b2a5bccb8539709c0c387deb7704c2103d1fc39c97bf
                                                                                              • Opcode Fuzzy Hash: 56e76445033a99da05fe192590a15bb20ec13d4a39ad9bab330bef12182d4e5a
                                                                                              • Instruction Fuzzy Hash: E0211AB1544B419FC320CF16C48978BFBF4FB15754F50DA2ED5AA57A40C7B8A108CB99
                                                                                              Function 6D0080A2 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,?,?,6D002654,6D029DD0,0000000C), ref: 6D0080A7
                                                                                              • _free.LIBCMT ref: 6D008104
                                                                                              • _free.LIBCMT ref: 6D00813A
                                                                                              • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6D002654,6D029DD0,0000000C), ref: 6D008145
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast_free
                                                                                              • String ID:
                                                                                              • API String ID: 2283115069-0
                                                                                              • Opcode ID: 7af6d67cfd520c2ce2cf8660f007bbd50c00725b4dc4cc73586d106bf758cb47
                                                                                              • Instruction ID: 641ecc6f94c1062a33c6faaca40de1fb59e73f7f9154ce13ca54f744fe95248f
                                                                                              • Opcode Fuzzy Hash: 7af6d67cfd520c2ce2cf8660f007bbd50c00725b4dc4cc73586d106bf758cb47
                                                                                              • Instruction Fuzzy Hash: 83118A716486017AFB516B789C84F6F26ADBFC2378B724638F724971C0DF618C014250
                                                                                              Function 6D0195AA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WriteConsoleW.KERNEL32(00000000,?,6D017DDC,00000000,00000000,?,6D018241,00000000,00000001,00000000,6D00E7C0,?,6D00F976,?,?,6D00E7C0), ref: 6D0195C1
                                                                                              • GetLastError.KERNEL32(?,6D018241,00000000,00000001,00000000,6D00E7C0,?,6D00F976,?,?,6D00E7C0,?,6D00E7C0,?,6D00F40C,6D0191A6), ref: 6D0195CD
                                                                                                • Part of subcall function 6D01961E: CloseHandle.KERNEL32(FFFFFFFE,6D0195DD,?,6D018241,00000000,00000001,00000000,6D00E7C0,?,6D00F976,?,?,6D00E7C0,?,6D00E7C0), ref: 6D01962E
                                                                                              • ___initconout.LIBCMT ref: 6D0195DD
                                                                                                • Part of subcall function 6D0195FF: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6D01959B,6D01822E,6D00E7C0,?,6D00F976,?,?,6D00E7C0,?), ref: 6D019612
                                                                                              • WriteConsoleW.KERNEL32(00000000,?,6D017DDC,00000000,?,6D018241,00000000,00000001,00000000,6D00E7C0,?,6D00F976,?,?,6D00E7C0,?), ref: 6D0195F2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                              • String ID:
                                                                                              • API String ID: 2744216297-0
                                                                                              • Opcode ID: 9ffbd64bf598a8214aa41fe1ac339c1c4c00131d6e3c1568c4e14d386a60744f
                                                                                              • Instruction ID: d75386d2cf1f8ebe8e23ec72128429a6968232e3abaf30ccceba0d523e9da8ad
                                                                                              • Opcode Fuzzy Hash: 9ffbd64bf598a8214aa41fe1ac339c1c4c00131d6e3c1568c4e14d386a60744f
                                                                                              • Instruction Fuzzy Hash: B7F01C36809119BBCF121FD1DC44B993F76FB4A7B1B554010FE1996520DB328860DB91
                                                                                              Function 6D086BED Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 373COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: x'K$|'K
                                                                                              • API String ID: 3519838083-1041342148
                                                                                              • Opcode ID: a25bbfd597e839604be9dc74c608115d2298b3d137bba62e84176c22df84cc64
                                                                                              • Instruction ID: fe973d6cf1f8f12e495a18a7445a092ada7cf8ddf2fd5e6f1ae3cd22423a75e8
                                                                                              • Opcode Fuzzy Hash: a25bbfd597e839604be9dc74c608115d2298b3d137bba62e84176c22df84cc64
                                                                                              • Instruction Fuzzy Hash: 08D10730D18787DAFF22CB60C890BFEBBB0BF42308F914519D1A663097DB65A546CB55
                                                                                              Function 6D006814 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3_
                                                                                              • String ID: 8Q
                                                                                              • API String ID: 2427045233-4022487301
                                                                                              • Opcode ID: 62278dd8639a242a2725c760284f5fb7cdf669a6c77cab130963c9ab57593ef3
                                                                                              • Instruction ID: 821af7c02c3ed0b6946992ae0dd57d2e248520bed7ef915a4a8cb25227dfb39b
                                                                                              • Opcode Fuzzy Hash: 62278dd8639a242a2725c760284f5fb7cdf669a6c77cab130963c9ab57593ef3
                                                                                              • Instruction Fuzzy Hash: A6719371D04217BBFB119F94C880BFE7ABAFF4A314F958129E92067240DB758981CBE1
                                                                                              Function 6D056C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: @$hfJ
                                                                                              • API String ID: 3519838083-1391159562
                                                                                              • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                                                                              • Instruction ID: 74f8357039dc5484a5e5329198b2058dbe77a3eb661dbf3a539b43c0dfec5dcd
                                                                                              • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                                                                              • Instruction Fuzzy Hash: 4A916870D10259DFEB10DFA9C994AEEFBF4BF18308F90452EE546A7290D770AA54CB60
                                                                                              Function 6D04BC58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 6D04BC5D
                                                                                                • Part of subcall function 6D04A61A: __EH_prolog.LIBCMT ref: 6D04A61F
                                                                                                • Part of subcall function 6D04AA2E: __EH_prolog.LIBCMT ref: 6D04AA33
                                                                                                • Part of subcall function 6D04BEA5: __EH_prolog.LIBCMT ref: 6D04BEAA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: WZJ
                                                                                              • API String ID: 3519838083-1089469559
                                                                                              • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                                                                              • Instruction ID: ea6fc7aa4b0f0ce8d94769572d0e0f494b794fb40179c4b4e306c7b379f61996
                                                                                              • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                                                                              • Instruction Fuzzy Hash: C1817D31D05159DFEF15DFA4D580FDDB7B4AF59308F2180AAE602672A0DB30AE05CB61
                                                                                              Function 6D0795B2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: CK$CK
                                                                                              • API String ID: 3519838083-2096518401
                                                                                              • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                                                                              • Instruction ID: 7d82ca19167bed8cfd12254a9c9443df67579fdaddae91d9cc173f07a7454de2
                                                                                              • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                                                                              • Instruction Fuzzy Hash: D8518C75A0030A9FEB24CFA4D8C4BBEB3F5FF88354F158529D901AB241DB74A905CBA5
                                                                                              Function 6D052F9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: <dJ$Q
                                                                                              • API String ID: 3519838083-2252229148
                                                                                              • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                                                                              • Instruction ID: 6b96af6c98104db0ec9aeb96dccb4be2cf3b5f1cc1d691bc505a8e98df4fd2ac
                                                                                              • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                                                                              • Instruction Fuzzy Hash: 8B51C07090425AEFEF11DFE8D990AEDB7B1FF49304F10852EEA11AB250D7319A95CB50
                                                                                              Function 6D04E9B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: $D^J
                                                                                              • API String ID: 3519838083-3977321784
                                                                                              • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                                                                              • Instruction ID: 7371bceaf1a31aca32dc967e55f4d1259858db274990b14306b8732fb37d1ed8
                                                                                              • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                                                                              • Instruction Fuzzy Hash: 16412AB0A095A2EEF726CF288850FFEBBE56F16244F04C0B8C592C7181DB656996C3D5
                                                                                              Function 6D060B66 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: 8)L$8)L
                                                                                              • API String ID: 3519838083-2235878380
                                                                                              • Opcode ID: 1ee38908214ddba89c01b11f8f662c4b80f228d5f64c7dd9e77453d2deb43dcf
                                                                                              • Instruction ID: 1227338eb1435c8618914f77a2a2eebe8422ad070eb84603bfb786365bda01a7
                                                                                              • Opcode Fuzzy Hash: 1ee38908214ddba89c01b11f8f662c4b80f228d5f64c7dd9e77453d2deb43dcf
                                                                                              • Instruction Fuzzy Hash: 3A51CE31649641CFE715CB65C890BEEB7F2FF85314F51496ED29A87260CB307944CBA4
                                                                                              Function 6D05E606 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: qJ$#
                                                                                              • API String ID: 3519838083-4209149730
                                                                                              • Opcode ID: e1f34668789bc69a62d5b524bab96a8de5a2ccca07942ae6dd88fce0d8712790
                                                                                              • Instruction ID: 2f32c5d0850d6e6cd809251b1946d925a5bc7a255d41c7e80e0bbf7b432fe823
                                                                                              • Opcode Fuzzy Hash: e1f34668789bc69a62d5b524bab96a8de5a2ccca07942ae6dd88fce0d8712790
                                                                                              • Instruction Fuzzy Hash: A851AD3590424ADFEF00CFA8C680AEDBBB5FF09318F158558E951A7391C734EA15CBA1
                                                                                              Function 6D0105EE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6D017DC6), ref: 6D01070B
                                                                                              • __dosmaperr.LIBCMT ref: 6D010712
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast__dosmaperr
                                                                                              • String ID: 8Q
                                                                                              • API String ID: 1659562826-4022487301
                                                                                              • Opcode ID: 02fef494865650e085fb5a9dc9bcf4fe173ee7151ad06ea38fdfbd9fb1842d1d
                                                                                              • Instruction ID: 381986ab396cdd04b2d17e5655ed3751038434f44f27786e234eea33e2a0fba9
                                                                                              • Opcode Fuzzy Hash: 02fef494865650e085fb5a9dc9bcf4fe173ee7151ad06ea38fdfbd9fb1842d1d
                                                                                              • Instruction Fuzzy Hash: 24416B71A1C155AFFB12DF9ACC81BAD7FE5EB86314F64825CE8C48B241D3319C218B90
                                                                                              Function 6CEC26E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: _strlen
                                                                                              • String ID: U#l$q!l
                                                                                              • API String ID: 4218353326-3548188313
                                                                                              • Opcode ID: 89339d2f74272fce69c7373f32e97cc7aa4e147660724ffd0380589004a0801a
                                                                                              • Instruction ID: c58eb39647682fcc1c1031aa35fc307a24ba134f7f4e700ce16cafe553f2e238
                                                                                              • Opcode Fuzzy Hash: 89339d2f74272fce69c7373f32e97cc7aa4e147660724ffd0380589004a0801a
                                                                                              • Instruction Fuzzy Hash: 3B41D3B2D002089BDB00DFA4DD84BDEBBB5EF58314F250129E818A7750E7359958CBA2
                                                                                              Function 6D06812C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: X&L$p|J
                                                                                              • API String ID: 3519838083-2944591232
                                                                                              • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                                                                              • Instruction ID: 45104f1f04b793f18870ec9832032e2702a0df7adbd293ffff6809ee3282ed71
                                                                                              • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                                                                              • Instruction Fuzzy Hash: 1131F431689987CBF7119F58DD09BBD77B5FB03724F60402AD650AB1E0CBA08982CA75
                                                                                              Function 6D067C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: 0|J$`)L
                                                                                              • API String ID: 3519838083-117937767
                                                                                              • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                                                                              • Instruction ID: 7fcb1b0d835192eaf7419ea273460c0b29eaca94fa6c8712dbf76634754d441e
                                                                                              • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                                                                              • Instruction Fuzzy Hash: C8417331A05785EFEB118F64C8907BEBBF2FF85304F01482EE59A57250CB71A944DBA6
                                                                                              Function 6D06ACB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: __aulldiv
                                                                                              • String ID: 3333
                                                                                              • API String ID: 3732870572-2924271548
                                                                                              • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                                                                              • Instruction ID: 48031c229ac32870d2c431113b3bf681858a8de6a75607d5c42d09d73e9570d7
                                                                                              • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                                                                              • Instruction Fuzzy Hash: 7A21B5B0D447546EF720DFA98880F5FFAFCEB88755F21891EA286D7240D770E9008B65
                                                                                              Function 6D05E77E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: #$4qJ
                                                                                              • API String ID: 3519838083-3965466581
                                                                                              • Opcode ID: 84a8eb9074b6f9089a1fd02d6bcb4d7259a4313f9f2765f71615d484bdca8079
                                                                                              • Instruction ID: 610891871e88d280f7802e1acc824fc861df1a9b7afcdcb741d159963fc4ce02
                                                                                              • Opcode Fuzzy Hash: 84a8eb9074b6f9089a1fd02d6bcb4d7259a4313f9f2765f71615d484bdca8079
                                                                                              • Instruction Fuzzy Hash: DE318935A0421ADFEB10CF65CA40BBE73B9EF49324F018099EDA5A7250D770AD25CBA0
                                                                                              Function 6D063906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: @$LuJ
                                                                                              • API String ID: 3519838083-205571748
                                                                                              • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                                                                              • Instruction ID: 2b2e3b664ebe08c1d072a5f87fbd741fab566782b8907f40f29a43bb0dbd67d0
                                                                                              • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                                                                              • Instruction Fuzzy Hash: F4016171E05246DAEB10DF9984806AEF7B4FF5A704F44C42EE565E3241C3749905CFA5
                                                                                              Function 6D011418 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 6D011439
                                                                                              • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6D00DD2A,?,00000004,?,4B42FCB6,?,?,6D002E7C,4B42FCB6,?), ref: 6D011475
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1419624835.000000006CE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CE70000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1419603707.000000006CE70000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421178392.000000006D01B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1423172752.000000006D1E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocHeap_free
                                                                                              • String ID: 8Q
                                                                                              • API String ID: 1080816511-4022487301
                                                                                              • Opcode ID: b8783813333ca246532117afdb29bdc51d159a0971d48dd7b7c73c95c3ae1218
                                                                                              • Instruction ID: c3fa22d1b47d77d64c978734d8b4cc125933657069da9577f8703ee5869b8aa7
                                                                                              • Opcode Fuzzy Hash: b8783813333ca246532117afdb29bdc51d159a0971d48dd7b7c73c95c3ae1218
                                                                                              • Instruction Fuzzy Hash: 76F0FC3161D132B7FB195AB55C00B6F37A9AFE3FB4F21C015EA1457184DB20D4018193
                                                                                              Function 6D08F5D5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: p/K$J
                                                                                              • API String ID: 3519838083-2069324279
                                                                                              • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                                                                              • Instruction ID: c892beb49ff4c9b9c446996de6687e9613160cf65909e54f4a85a83d7f0e80f6
                                                                                              • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                                                                              • Instruction Fuzzy Hash: 9801BCB1A15701DFE724CFA9D5043AEBBF8EF54729F10C91EA052A3640C7F8A5088BA5
                                                                                              Function 6D070180 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 6D070185
                                                                                                • Part of subcall function 6D07022B: __EH_prolog.LIBCMT ref: 6D070230
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: J$0J
                                                                                              • API String ID: 3519838083-2882003284
                                                                                              • Opcode ID: 5025c659522292fd6d13656942a962c3f91794ff08eea141c4429de393d252e1
                                                                                              • Instruction ID: ba3c1c5bdf8a1589d61de9d82c3bba673bf3fbce4989db617bba8582da2656e5
                                                                                              • Opcode Fuzzy Hash: 5025c659522292fd6d13656942a962c3f91794ff08eea141c4429de393d252e1
                                                                                              • Instruction Fuzzy Hash: CE1175B0911B108BC3248F16D4546D6FBF4FFA5714F50C91FD5AA87620C7B8A5548F98
                                                                                              Function 6D06DFC7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 6D06DFCC
                                                                                                • Part of subcall function 6D06D4D1: __EH_prolog.LIBCMT ref: 6D06D4D6
                                                                                                • Part of subcall function 6D06C14B: __EH_prolog.LIBCMT ref: 6D06C150
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: J$0J
                                                                                              • API String ID: 3519838083-2882003284
                                                                                              • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                                                                              • Instruction ID: d7f12e81846c80a52ab1067fa023bb5e95fed2a3040c94bf049db340fa0f80ed
                                                                                              • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                                                                              • Instruction Fuzzy Hash: 910105B1804B50CFD325CF56C5A428AFBE0FB15308F90C95EC1A657B50D7B8A508CB68
                                                                                              Function 6D08E434 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 6D08E439
                                                                                                • Part of subcall function 6D08E4BA: __EH_prolog.LIBCMT ref: 6D08E4BF
                                                                                                • Part of subcall function 6D07022B: __EH_prolog.LIBCMT ref: 6D070230
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: D.K$T.K
                                                                                              • API String ID: 3519838083-2437000251
                                                                                              • Opcode ID: 4bf8c15ffd7a86929b4665866baf81e9eeb815ebced635067bbf52e837154634
                                                                                              • Instruction ID: a911c1551db8b3836226569894aee125f510c3f490c062563afd66538cf713ac
                                                                                              • Opcode Fuzzy Hash: 4bf8c15ffd7a86929b4665866baf81e9eeb815ebced635067bbf52e837154634
                                                                                              • Instruction Fuzzy Hash: 4B012C71915751CFD724CF69C51438ABBF0BF19704F00C91E80AA97741E7B8A648CBA5
                                                                                              Function 6D060425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: 8)L$8rJ
                                                                                              • API String ID: 3519838083-896068166
                                                                                              • Opcode ID: 31b7b83379da487e0b0fee470bf6f7791c36dd68afdddb73284a070326b97c38
                                                                                              • Instruction ID: e88dc3234b65c2a6902147afe7a3c7ecd0535b20bce309bb4e862060ae449416
                                                                                              • Opcode Fuzzy Hash: 31b7b83379da487e0b0fee470bf6f7791c36dd68afdddb73284a070326b97c38
                                                                                              • Instruction Fuzzy Hash: 8CF03A76A14114EFD701CF98D949BDEBBF8FF46355F14806AF405A7211C7B89A00CBA5
                                                                                              Function 6D066431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prologctype
                                                                                              • String ID: |zJ
                                                                                              • API String ID: 3037903784-3782439380
                                                                                              • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                                                                              • Instruction ID: 9a6ba280231919c72baa3763fb69e681bbd3a5161144120a7db96cb8517b69f1
                                                                                              • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                                                                              • Instruction Fuzzy Hash: A9E06D32A09561EBFB188B49D801BAEF3E8FF54B19F4140AF9012A7645CFB1A80086E5
                                                                                              Function 6D06A4CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prologctype
                                                                                              • String ID: \~J
                                                                                              • API String ID: 3037903784-3176329776
                                                                                              • Opcode ID: 46757733936a42b96b936dd1dab949ec9d96d52f22713a54e894f9e80fe70f1d
                                                                                              • Instruction ID: b5578534efa2e35a191154653e1a5f4cd52a69738afca459b331ce8f6c517d97
                                                                                              • Opcode Fuzzy Hash: 46757733936a42b96b936dd1dab949ec9d96d52f22713a54e894f9e80fe70f1d
                                                                                              • Instruction Fuzzy Hash: 60E06532A09561DFFB249F49D814FADF3F4FF84718F11815E911167151CBB1A8008695
                                                                                              Function 6D06C0DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 6D06C0E0
                                                                                                • Part of subcall function 6D06C14B: __EH_prolog.LIBCMT ref: 6D06C150
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: J$0J
                                                                                              • API String ID: 3519838083-2882003284
                                                                                              • Opcode ID: 235f570c22735095cf226f139ec23b8166c83fec4b7bd0089cfa702e7a6a385e
                                                                                              • Instruction ID: 110194530eab1bdb68598e080a3b1d5816aecffd2577f9d9639947c741cab00c
                                                                                              • Opcode Fuzzy Hash: 235f570c22735095cf226f139ec23b8166c83fec4b7bd0089cfa702e7a6a385e
                                                                                              • Instruction Fuzzy Hash: 3EF0E7B0901B51CFC724DF59D81428ABBF0FB16708B50C91FC0AA97B10D7B8A548CFA8
                                                                                              Function 6D0924AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: @ K$DJ$T)K$X/K
                                                                                              • API String ID: 0-3815299647
                                                                                              • Opcode ID: dac98d89fb1dd2bd8a0dcac61504098bca9fe61148d739192528eb0bc1c541c2
                                                                                              • Instruction ID: bc75a8e75b0a4a4f7dee249101b1f22f2ae9044706eef1e23ccac8a76f28210e
                                                                                              • Opcode Fuzzy Hash: dac98d89fb1dd2bd8a0dcac61504098bca9fe61148d739192528eb0bc1c541c2
                                                                                              • Instruction Fuzzy Hash: 689101346093068BFB24DF74C8907EEB3F2AF41308F909859E9666F281CB75E949D761
                                                                                              Function 6D087E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: D)K$H)K$P)K$T)K
                                                                                              • API String ID: 0-2262112463
                                                                                              • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                                                                              • Instruction ID: 9ce375a36889944643fe1cccb942387a77c0f01d9489ef7f398867976df84486
                                                                                              • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                                                                              • Instruction Fuzzy Hash: 8F51E430E0920A9BEF14CF95D840BEEB7B1FF94318F108019E91167186DB75D948CBE5
                                                                                              Function 6D0A7F20 Relevance: 5.0, Strings: 4, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (?K$8?K$H?K$CK
                                                                                              • API String ID: 0-3450752836
                                                                                              • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                                                                              • Instruction ID: c1c8d428a3e6c00a50b1e9b35ff44e1418be4b65f304c425b103a7adfb6d92f7
                                                                                              • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                                                                              • Instruction Fuzzy Hash: 64F030B05057019FD320CF46D54879BFBF4EB4170AF50C81EE19A97A40D3BCA5088FA9
                                                                                              Function 6D090AAC Relevance: 5.0, Strings: 4, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1421268138.000000006D02B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6D02B000, based on PE: true
                                                                                              • Associated: 00000006.00000002.1422139075.000000006D0F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000006.00000002.1422229463.000000006D0FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_6ce70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 00K$@0K$P0K$`0K
                                                                                              • API String ID: 0-1070766156
                                                                                              • Opcode ID: 7efb1c77604c1d1a2dcd35be8e9d5171401199da8c632a149feb581716eb9edd
                                                                                              • Instruction ID: cc08c49e7cab151d94aeeb036fe5aa8110f11b29cf5188a6292b857041db77c5
                                                                                              • Opcode Fuzzy Hash: 7efb1c77604c1d1a2dcd35be8e9d5171401199da8c632a149feb581716eb9edd
                                                                                              • Instruction Fuzzy Hash: 2DF03FB14152408FD348DF1A9598A82BFE0AF95319B56C1DED0184F276C3B9CA48CFA8