Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe

Overview

General Information

Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe
renamed because original name is a hash value
Original sample name:_1.1.5.exe
Analysis ID:1580554
MD5:03ea7f971fc545436e2e3dc7dcb4b3ce
SHA1:6bf3648177bdf3c058370ff1b1497941e57d97f4
SHA256:cd2784184b63ef5c32bb840092c2eb00a4f52ef8ec0ea8ef23277dce0c2d9a12
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe (PID: 2172 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" MD5: 03EA7F971FC545436E2E3DC7DCB4B3CE)
    • #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp (PID: 4424 cmdline: "C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$10418,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" MD5: 0C60D7DFC89698F75CB7C33C3D3DFF44)
      • powershell.exe (PID: 2104 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 1568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 3224 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe (PID: 1496 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" /VERYSILENT MD5: 03EA7F971FC545436E2E3DC7DCB4B3CE)
        • #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp (PID: 3172 cmdline: "C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$30422,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" /VERYSILENT MD5: 0C60D7DFC89698F75CB7C33C3D3DFF44)
          • 7zr.exe (PID: 6380 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 5404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 6332 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 2276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 6332 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 2428 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 2668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 6000 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cmd.exe (PID: 6608 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6584 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1440 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4068 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4208 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7032 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5508 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3008 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1628 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1576 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3332 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5368 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2300 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1892 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6500 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5728 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2276 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1440 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5236 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5952 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1124 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4208 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1848 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1536 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sc.exe (PID: 6536 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • Conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6536 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5508 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 6352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3292 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6460 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3332 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 616 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 348 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6500 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5980 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5908 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6480 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1672 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3556 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 344 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6948 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6548 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7060 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4952 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5480 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2752 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 616 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2796 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2276 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4688 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6192 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5908 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4460 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4208 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3220 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2716 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2364 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6528 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1012 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6548 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2284 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4952 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$10418,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, ParentProcessId: 4424, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2104, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6608, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6584, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$10418,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, ParentProcessId: 4424, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2104, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6608, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6584, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$10418,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, ParentProcessId: 4424, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2104, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\is-33QTC.tmp\update.vbcReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\is-9OESO.tmp\update.vbcReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeVirustotal: Detection: 9%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 89.5% probability
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2095272860.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2095174155.0000000003750000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C83E090 FindFirstFileA,FindClose,FindClose,6_2_6C83E090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EB6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00EB6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EB7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00EB7496
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000003.2034954431.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000003.2034954431.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000003.2034954431.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000003.2034954431.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000003.2034954431.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000003.2034954431.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000003.2034954431.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000003.2034954431.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000003.2034954431.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000003.2034954431.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000003.2034954431.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000003.2034954431.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000003.2034954431.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000003.2034954431.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000003.2034954431.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000003.2034954431.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000003.2034954431.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000003.2034954431.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000003.2034954431.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, 00000000.00000003.2024205732.0000000003600000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, 00000000.00000003.2024872847.000000007F9DB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000000.2026410772.0000000000A11000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000000.2050430122.0000000000BBD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, 00000000.00000003.2024205732.0000000003600000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, 00000000.00000003.2024872847.000000007F9DB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000000.2026410772.0000000000A11000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000000.2050430122.0000000000BBD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: update.vbc.1.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ#
Source: update.vbc.6.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C848810 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6C848810
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C6C3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C6C3886
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C6C3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C6C3C62
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C849450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C849450
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C6C3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C6C3D62
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C6C3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C6C3D18
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C6C39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C6C39CF
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C6C3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C6C3A6A
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C6C1950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6C6C1950
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C6C4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6C6C4754
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C6C47546_2_6C6C4754
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6CA28D126_2_6CA28D12
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C994F0A6_2_6C994F0A
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C9B38816_2_6C9B3881
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6CA1B06F6_2_6CA1B06F
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8448606_2_6C844860
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C84A1336_2_6C84A133
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C957A466_2_6C957A46
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C9CCB306_2_6C9CCB30
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C918D906_2_6C918D90
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8CAD436_2_6C8CAD43
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8F6D506_2_6C8F6D50
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8FCE806_2_6C8FCE80
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8D4F116_2_6C8D4F11
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8E889F6_2_6C8E889F
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C90A8C86_2_6C90A8C8
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8FC9F06_2_6C8FC9F0
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8F4AA06_2_6C8F4AA0
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8F0AD06_2_6C8F0AD0
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8F2A506_2_6C8F2A50
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C89840A6_2_6C89840A
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C9025C06_2_6C9025C0
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8C25EC6_2_6C8C25EC
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8FC6E06_2_6C8FC6E0
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C9126406_2_6C912640
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8EE6506_2_6C8EE650
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C9167C06_2_6C9167C0
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C91C7006_2_6C91C700
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8960926_2_6C896092
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C9020506_2_6C902050
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8FA1F06_2_6C8FA1F0
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C9002806_2_6C900280
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C9003806_2_6C900380
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8A9CE06_2_6C8A9CE0
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C917DE06_2_6C917DE0
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8F9D106_2_6C8F9D10
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C87BEA16_2_6C87BEA1
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C895EC96_2_6C895EC9
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C901EF06_2_6C901EF0
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8CDEEF6_2_6C8CDEEF
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8C78966_2_6C8C7896
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C90F8D06_2_6C90F8D0
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8F18106_2_6C8F1810
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C9098206_2_6C909820
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C9178706_2_6C917870
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C9199996_2_6C919999
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C91D91A6_2_6C91D91A
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8F99006_2_6C8F9900
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C90D9306_2_6C90D930
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C90B9506_2_6C90B950
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C87B9726_2_6C87B972
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C907AA06_2_6C907AA0
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C91DA006_2_6C91DA00
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8D3A526_2_6C8D3A52
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8EDB906_2_6C8EDB90
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C883BCA6_2_6C883BCA
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C911BC06_2_6C911BC0
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C893B666_2_6C893B66
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C9074896_2_6C907489
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8DB4AC6_2_6C8DB4AC
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C9014D06_2_6C9014D0
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8F55806_2_6C8F5580
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8FF5806_2_6C8FF580
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8F75D06_2_6C8F75D0
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8E55216_2_6C8E5521
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C90B5206_2_6C90B520
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C9176C06_2_6C9176C0
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C9116006_2_6C911600
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C9097A06_2_6C9097A0
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C87F7CF6_2_6C87F7CF
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C9197C06_2_6C9197C0
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8DF7F36_2_6C8DF7F3
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C9010E06_2_6C9010E0
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C8F30206_2_6C8F3020
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C90F2A06_2_6C90F2A0
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C90B2006_2_6C90B200
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C9067506_2_6C906750
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C909AF06_2_6C909AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EF81EC10_2_00EF81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F381C010_2_00F381C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2425010_2_00F24250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F4824010_2_00F48240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F4C3C010_2_00F4C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F404C810_2_00F404C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2865010_2_00F28650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2C95010_2_00F2C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F0094310_2_00F00943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F28C2010_2_00F28C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F44EA010_2_00F44EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F40E0010_2_00F40E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F110AC10_2_00F110AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F3D08910_2_00F3D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2D1D010_2_00F2D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F491C010_2_00F491C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F3518010_2_00F35180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F4112010_2_00F41120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F4D2C010_2_00F4D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F153F310_2_00F153F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EB53CF10_2_00EB53CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F454D010_2_00F454D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EFD49610_2_00EFD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F4D47010_2_00F4D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EB157210_2_00EB1572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F4155010_2_00F41550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F3D6A010_2_00F3D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F0965210_2_00F09652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EB97CA10_2_00EB97CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EC976610_2_00EC9766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F4D9E010_2_00F4D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EB1AA110_2_00EB1AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F35E8010_2_00F35E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F35F8010_2_00F35F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00ECE00A10_2_00ECE00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F322E010_2_00F322E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F5230010_2_00F52300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F1E49F10_2_00F1E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F325F010_2_00F325F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F266D010_2_00F266D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2A6A010_2_00F2A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F4E99010_2_00F4E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F32A8010_2_00F32A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F0AB1110_2_00F0AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F36CE010_2_00F36CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F370D010_2_00F370D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2B18010_2_00F2B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F1B12110_2_00F1B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F4720010_2_00F47200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EDB3E410_2_00EDB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F4F3C010_2_00F4F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F3F3A010_2_00F3F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F3F42010_2_00F3F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2741010_2_00F27410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F4F59910_2_00F4F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F4353010_2_00F43530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F5351A10_2_00F5351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2F50010_2_00F2F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F5360110_2_00F53601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F477C010_2_00F477C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2379010_2_00F23790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EDF8E010_2_00EDF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2F91010_2_00F2F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F37AF010_2_00F37AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F03AEF10_2_00F03AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00ECBAC910_2_00ECBAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00ECBC9210_2_00ECBC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F37C5010_2_00F37C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2FDF010_2_00F2FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00F4FB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00EB1E40 appears 171 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00EB28E3 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: String function: 6C87C240 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: String function: 6C919F10 appears 728 times
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, 00000000.00000003.2024205732.000000000371E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameOT5YaHEIPi.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, 00000000.00000003.2024872847.000000007FCDA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameOT5YaHEIPi.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, 00000000.00000000.2022672928.0000000000B99000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameOT5YaHEIPi.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeBinary or memory string: OriginalFileNameOT5YaHEIPi.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal96.evad.winEXE@143/31@0/0
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C849450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C849450
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EB9313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_00EB9313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EC3D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00EC3D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EB9252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_00EB9252
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C848930 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,Process32NextW,6_2_6C848930
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpFile created: C:\Program Files (x86)\Windows NT\is-HIEVQ.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6768:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6604:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7092:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6536:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6512:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6052:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5404:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5660:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1536:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1892:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3168:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4676:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3992:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6352:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6024:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2276:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5480:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2952:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5256:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6000:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5436:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2428:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4668:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5956:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1568:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1436:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2668:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1560:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6548:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2752:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1396:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7084:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3220:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6480:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeFile created: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeVirustotal: Detection: 9%
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp "C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$10418,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe"
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp "C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$30422,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp "C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$10418,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp "C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$30422,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeStatic file information: File size 8321941 > 1048576
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2095272860.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2095174155.0000000003750000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F357D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00F357D0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeStatic PE information: real checksum: 0x0 should be: 0x7f6784
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x343670
Source: update.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343670
Source: update.vbc.1.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.0.drStatic PE information: section name: .didata
Source: update.vbc.1.drStatic PE information: section name: .00cfg
Source: update.vbc.1.drStatic PE information: section name: .voltbl
Source: update.vbc.1.drStatic PE information: section name: .aQ#
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ#
Source: update.vbc.6.drStatic PE information: section name: .00cfg
Source: update.vbc.6.drStatic PE information: section name: .voltbl
Source: update.vbc.6.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C84BDDB push ecx; ret 6_2_6C84BDEE
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C6F0F00 push ss; retn 0001h6_2_6C6F0F0A
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C87E9F4 push 004AC35Ch; ret 6_2_6C87EA0E
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C91A290 push eax; ret 6_2_6C91A2BE
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C919F10 push eax; ret 6_2_6C919F2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EB45F4 push 00F5C35Ch; ret 10_2_00EB460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F4FB10 push eax; ret 10_2_00F4FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F4FE90 push eax; ret 10_2_00F4FEBE
Source: update.vbc.1.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: update.vbc.6.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-9OESO.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeFile created: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-33QTC.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-9OESO.tmp\update.vbcJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeFile created: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-33QTC.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-9OESO.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-33QTC.tmp\update.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5868Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3753Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpWindow / User API: threadDelayed 653Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpWindow / User API: threadDelayed 635Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpWindow / User API: threadDelayed 578Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9OESO.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-33QTC.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9OESO.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-33QTC.tmp\update.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.7 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6180Thread sleep time: -9223372036854770s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C83E090 FindFirstFileA,FindClose,FindClose,6_2_6C83E090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EB6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00EB6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EB7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00EB7496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EB9C60 GetSystemInfo,10_2_00EB9C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000002.2052817586.0000000000F7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000002.2052817586.0000000000F7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C6C3886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6C6C3886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C853871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C853871
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F357D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00F357D0
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C85D425 mov eax, dword ptr fs:[00000030h]6_2_6C85D425
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C85D456 mov eax, dword ptr fs:[00000030h]6_2_6C85D456
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C85286D mov eax, dword ptr fs:[00000030h]6_2_6C85286D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C853871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C853871
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C84C3AD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6C84C3AD

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 6_2_6C91A700 cpuid 6_2_6C91A700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EBAB2A GetSystemTimeAsFileTime,10_2_00EBAB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F50090 GetVersion,10_2_00F50090
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000002.2213320239.0000000001293000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Defender\MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory431
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager231
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580554 Sample: #U5b89#U88c5#U7a0b#U5e8f_1.... Startdate: 25/12/2024 Architecture: WINDOWS Score: 96 105 Multi AV Scanner detection for dropped file 2->105 107 Multi AV Scanner detection for submitted file 2->107 109 Found driver which could be used to inject code into processes 2->109 111 3 other signatures 2->111 11 #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe 2 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 29 other processes 2->18 process3 file4 103 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, PE32 11->103 dropped 20 #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp 3 5 11->20         started        24 sc.exe 14->24         started        26 sc.exe 16->26         started        28 conhost.exe 16->28         started        30 sc.exe 1 18->30         started        32 sc.exe 1 18->32         started        34 sc.exe 1 18->34         started        36 25 other processes 18->36 process5 file6 87 C:\Users\user\AppData\Local\...\update.vbc, PE32 20->87 dropped 89 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->89 dropped 113 Adds a directory exclusion to Windows Defender 20->113 38 #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe 2 20->38         started        41 powershell.exe 23 20->41         started        44 conhost.exe 24->44         started        46 conhost.exe 26->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 conhost.exe 36->54         started        56 24 other processes 36->56 signatures7 process8 file9 91 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, PE32 38->91 dropped 58 #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp 4 15 38->58         started        115 Loading BitLocker PowerShell Module 41->115 62 conhost.exe 41->62         started        64 WmiPrvSE.exe 41->64         started        66 sc.exe 44->66         started        68 Conhost.exe 44->68         started        signatures10 process11 file12 95 C:\Users\user\AppData\Local\...\update.vbc, PE32 58->95 dropped 97 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 58->97 dropped 99 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 58->99 dropped 101 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 58->101 dropped 117 Query firmware table information (likely to detect VMs) 58->117 119 Protects its processes via BreakOnTermination flag 58->119 121 Hides threads from debuggers 58->121 123 Contains functionality to hide a thread from the debugger 58->123 70 7zr.exe 2 58->70         started        73 cmd.exe 58->73         started        75 7zr.exe 7 58->75         started        77 cmd.exe 58->77         started        signatures13 process14 file15 93 C:\Program Files (x86)\...\tProtect.dll, PE32+ 70->93 dropped 79 conhost.exe 70->79         started        81 sc.exe 73->81         started        83 conhost.exe 75->83         started        process16 process17 85 conhost.exe 81->85         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe5%ReversingLabsWin32.Trojan.Generic
#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe10%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc26%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-33QTC.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-33QTC.tmp\update.vbc26%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-9OESO.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-9OESO.tmp\update.vbc26%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exefalse
    		high
    https://www.remobjects.com/ps#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, 00000000.00000003.2024205732.0000000003600000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, 00000000.00000003.2024872847.000000007F9DB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000000.2026410772.0000000000A11000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000000.2050430122.0000000000BBD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.0.drfalse
      		high
      https://www.innosetup.com/#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, 00000000.00000003.2024205732.0000000003600000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, 00000000.00000003.2024872847.000000007F9DB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000001.00000000.2026410772.0000000000A11000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000006.00000000.2050430122.0000000000BBD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.0.drfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580554
        Start date and time:2024-12-25 04:32:09 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 9m 21s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:110
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe
        renamed because original name is a hash value
        Original Sample Name:_1.1.5.exe
        Detection:MAL
        Classification:mal96.evad.winEXE@143/31@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 74%
        • Number of executed functions: 27
        • Number of non-executed functions: 112
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe
        • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        22:33:00API Interceptor1x Sleep call for process: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp modified
        22:33:03API Interceptor27x Sleep call for process: powershell.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeGet hashmaliciousUnknownBrowse
          #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U52a9#U624b2.0.6.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b2.0.7.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b2.0.5.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b2.0.4.exeGet hashmaliciousUnknownBrowse

                            Created / dropped Files

                            C:\Program Files (x86)\Windows NT\7zr.exe

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):831200
                            Entropy (8bit):6.671005303304742
                            Encrypted:false
                            SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                            MD5:84DC4B92D860E8AEA55D12B1E87EA108
                            SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                            SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                            SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Joe Sandbox View:
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.6.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.7.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.5.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.4.exe, Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\file.dat (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):2464593
                            Entropy (8bit):7.999917259281929
                            Encrypted:true
                            SSDEEP:49152:P0SaJ6osCkJL5tzvEfxLicWE/IWRHkLkGdlU9+cYtf5awt1dnyu7SC5Huzs:9aJ545tgfxLzrAGHk9dGEprDyPCas
                            MD5:5665C80102B80E65A502C6D9080E5F30
                            SHA1:966E306CEC6A9C1D523C7B006730B2B6CDCF041B
                            SHA-256:136452C453F7CCE33EB4BE3664EF16B6A1FA45B0348F6C5C90B1AF50253FA378
                            SHA-512:67551869A5A09EB2407D0F17631233ED937A1A455BA6F006DA39411590385191420456A66CCE4550CD0BECBE4C421A206C4E5E2DC1C4849C3640FAD1C59BA6F3
                            Malicious:false
                            Preview:.@S......4..f..............8.P.7.....g...7bP.Z.U...J....{V.z.!}9.uF.`B..KK/......'..<....*'.~m....,..\.....u...noQ7..(.[E.........C^.........bw.:J..m.F..+.rqJ..F.......^).D.y..].4.^.&It.m.y 9..X.;.....C..G.*..(..2-...H.9.&..E..}.x.'.X.K...`.I...v....Y.a.i...O..3.....l._u..B....f...u.z..Y.R.....+-(.>.K.P...1o8B.Y.t...j ...@..C3h.|1?".....Q....R....;Z..O.......4...G....NK.....73........3...c..Rt....)c1.(....-*k.b.9(.(...X..#..."....B.93......"?..U..WQF...7gd..@#0.9..r..0..M........^..r......&....[>.<..HC... r.:..2.....FF!(...p(....B.U......,..i.8_......W*..Qje\Qqy.(.$.d.Jb..l.....$1y.9..((.S....!..p...Z4."...A8.Yh..!1.....A..L.G.sJ.r..(.<.....#{.-.........u?F..^n.D}r..,.o.e.%....GHd.)....SH..r..v..!..N...i.>,....io..j.v.M.aBm...r..1..+....`..h..:.$..G.r.S,)2U.]y'/.!.]...[I7.S..W...R.:........;.~..z....#.p..Yl!.dC...;.G$C.....)<..'<.W..;:6...h%.._..U.s.C.%.=..h.T..>.s.%..~....=..Av......d*....]GL...!....G...Yv...c2'......k...]...

                            C:\Program Files (x86)\Windows NT\hrsw.vbc

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3621376
                            Entropy (8bit):7.006090025798393
                            Encrypted:false
                            SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                            MD5:FCADEAE28FCC52FD286350DFEECD82E5
                            SHA1:48290AA098DEDE53C457FC774063C3198754A161
                            SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                            SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 26%
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\is-HIEVQ.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):2464593
                            Entropy (8bit):7.999917259281929
                            Encrypted:true
                            SSDEEP:49152:P0SaJ6osCkJL5tzvEfxLicWE/IWRHkLkGdlU9+cYtf5awt1dnyu7SC5Huzs:9aJ545tgfxLzrAGHk9dGEprDyPCas
                            MD5:5665C80102B80E65A502C6D9080E5F30
                            SHA1:966E306CEC6A9C1D523C7B006730B2B6CDCF041B
                            SHA-256:136452C453F7CCE33EB4BE3664EF16B6A1FA45B0348F6C5C90B1AF50253FA378
                            SHA-512:67551869A5A09EB2407D0F17631233ED937A1A455BA6F006DA39411590385191420456A66CCE4550CD0BECBE4C421A206C4E5E2DC1C4849C3640FAD1C59BA6F3
                            Malicious:false
                            Preview:.@S......4..f..............8.P.7.....g...7bP.Z.U...J....{V.z.!}9.uF.`B..KK/......'..<....*'.~m....,..\.....u...noQ7..(.[E.........C^.........bw.:J..m.F..+.rqJ..F.......^).D.y..].4.^.&It.m.y 9..X.;.....C..G.*..(..2-...H.9.&..E..}.x.'.X.K...`.I...v....Y.a.i...O..3.....l._u..B....f...u.z..Y.R.....+-(.>.K.P...1o8B.Y.t...j ...@..C3h.|1?".....Q....R....;Z..O.......4...G....NK.....73........3...c..Rt....)c1.(....-*k.b.9(.(...X..#..."....B.93......"?..U..WQF...7gd..@#0.9..r..0..M........^..r......&....[>.<..HC... r.:..2.....FF!(...p(....B.U......,..i.8_......W*..Qje\Qqy.(.$.d.Jb..l.....$1y.9..((.S....!..p...Z4."...A8.Yh..!1.....A..L.G.sJ.r..(.<.....#{.-.........u?F..^n.D}r..,.o.e.%....GHd.)....SH..r..v..!..N...i.>,....io..j.v.M.aBm...r..1..+....`..h..:.$..G.r.S,)2U.]y'/.!.]...[I7.S..W...R.:........;.~..z....#.p..Yl!.dC...;.G$C.....)<..'<.W..;:6...h%.._..U.s.C.%.=..h.T..>.s.%..~....=..Av......d*....]GL...!....G...Yv...c2'......k...]...

                            C:\Program Files (x86)\Windows NT\locale.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.99649875797771
                            Encrypted:true
                            SSDEEP:768:sb8XvBZD6GgA/25XpkGDFHCVyzXlRtJYGxCY5xsyevZNW8nCIxb6mEZn86wgl9S4:U85H+DkGDNlVRbY4fOyejDOm08qM4
                            MD5:63BC99440A59F5BF0269A532923C30C0
                            SHA1:2605520D843F91A10555A64CDDC151542FD0BEC8
                            SHA-256:C1E21ACF158CFE838B9DA76FF2E503F64826E188FECCDCFA21AB5A93F32364DB
                            SHA-512:82B5BD2E321601D745D0B05D6C2DF7E044ED4949CA8749B9C344E3C7CB11DB10213734E85D68CC58218857DDA7999364E045AD7DD9EAA0D787B0820524ABAB43
                            Malicious:false
                            Preview:.@S....VP .l ..............S...>^.dV.7..j=.d.-...T9....U{Ru.E..f...n..UOm....g.2Q.....8I<..o.}CY6E...E-..1..W..r..H.........Ki..}.]...x.o...a.4V........B[...,.W.b.R.z0eus..Nd.)5.5{..h.(b....<. .-.]..~g..p.sX.W.?.`^..i....W....Pjt...J.%.,Z.....K...}.....Le#>..J.I.=.%..S...+..*...Z.&..5|.b..z.....s..._..Sgc..#BB.]C/... ..>$^..J.+7.o.F..n.Ei..s.....FO.O...0..4...-Q/.._.d$%.w6.vsp@'&aR....a.*m.x...d..Q.......-......... W..1a+0....l.H.F.M..y.......3..lM....m....|%..h...:v..IVwoUu../p..'...#.;~7..4Y.q...b..]...B...... m.1%..B.>.....)..m....1-#C.1..........g=qzn-I..\$.b8^......l%.GZ..=]..9c...-...iz..y....YxB.:....#..c...I_..#.)w...2...9P.=.!.@.Z0..&..+.&..zY=7.../......|.......|...ax.h4jw.#..!u.X..fSV.(..Q.L..d.z..l.m...".7.iz...z.\....E...../.L.j....P...+..8.v.........E.5dUB..oH..o...$.Z..),......._..o&..3.v.([.._.....%7....]?..HrQ..;....&..%.eP#!Q...o56.^.XA.R~&......(J.2Y..6......j+..-.......$.Q...k....8.a..f.^M..t.....7......]~...R..W.(^..0.E...9..

                            C:\Program Files (x86)\Windows NT\locale.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.99649875797771
                            Encrypted:true
                            SSDEEP:1536:uFIdls0DaY1g+3AIL4yMiOqFqgqKjSnwe0aw33XFjSUjG:uFYsu7A5q0j5kLjG
                            MD5:409CFE53DF3C253AE76242E5CBA8BB14
                            SHA1:623529513EDAA659BB927D5ED7E790E48018A316
                            SHA-256:B30B90D8AD7FA7AB74EBE50FDFC1AEA6AD4ABC89AA9F7659B9C9182B1308CDC7
                            SHA-512:B1843D231088701C1683A41A45C5548F1F5EAD83F8BCFE1964170CFA1252911DC0C1FBEB780462377F4F976EC8730867B531C4298EBB94E92D6B14A85E70185C
                            Malicious:false
                            Preview:7z..'..............2........Z.!.P..b..>..y........s..^.....5."sT.dcf.7....&Q.D.....r.:..Ls.?o....TXT..yz.%<.MO..'T.)eN..Tn.O+.....;..;.w..'....wO_.l%/..h..?...z.k....3e!..;....b*.s.dJ=..$...Z.Q...d..X......Q..T..G.J...W.m"...8.|"d...,.iT....RP....R.(.....I.}.`...-"..=.....23..9..D.......Q..!4...S..........,T...q...j ...7K....U...W..Ea.]...e6.....(..Q...}...v......@..x........&n...B.G..jp0M<..9B.Y*..ke:d}&."..0di.IRP.n.......@.6..c..K..C.Y.=......*pi.......d....{..........!.\>.........8.t.kX.P`.BR.a^Z....\..=..:.N.(....I.. .....q..1.w-:A~9.7...............Y3."...{......T..{<:.O....E$^.rGJx...M....V.(..,.e.\v...kN...:D}.......'.....Y....pA....l._.Q.0.G...l.PuM...D....>.VA...Kt.....4..7.RG.L.wv..vEY.f.l..d......<....K...q...q..j8.`'.....Q.?.B-../.%......"..;e..\1....54..p*.W..W.$*..,+.:a.$....L.R....$()r...vc....F...cy.84.......Ti.....9..)....../...T..u.u...Z...z..^x.}3...J.Z&?.x...P.R.r.....NZ..5.x!...^(-$..'.....$.b.\..V.T}....

                            C:\Program Files (x86)\Windows NT\locale2.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255975
                            Encrypted:true
                            SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                            MD5:CEA69F993E1CE0FB945A98BF37A66546
                            SHA1:7114365265F041DA904574D1F5876544506F89BA
                            SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                            SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                            Malicious:false
                            Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                            C:\Program Files (x86)\Windows NT\locale2.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255979
                            Encrypted:true
                            SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                            MD5:4CB8B7E557C80FC7B014133AB834A042
                            SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                            SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                            SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                            Malicious:false
                            Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                            C:\Program Files (x86)\Windows NT\locale3.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                            MD5:8622FC7228777F64A47BD6C61478ADD9
                            SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                            SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                            SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                            Malicious:false
                            Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                            C:\Program Files (x86)\Windows NT\locale3.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                            MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                            SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                            SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                            SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                            Malicious:false
                            Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                            C:\Program Files (x86)\Windows NT\locale4.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.99759370165655
                            Encrypted:true
                            SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                            MD5:950338D50B95A25F494EE74E97B7B7A9
                            SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                            SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                            SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                            Malicious:false
                            Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                            C:\Program Files (x86)\Windows NT\locale4.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.997593701656546
                            Encrypted:true
                            SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                            MD5:059BA7C31F3E227356CA5F29E4AA2508
                            SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                            SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                            SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                            Malicious:false
                            Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                            C:\Program Files (x86)\Windows NT\locale7.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653607
                            Encrypted:true
                            SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                            MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                            SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                            SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                            SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                            Malicious:false
                            Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                            C:\Program Files (x86)\Windows NT\locale7.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653608
                            Encrypted:true
                            SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                            MD5:A9C8A3E00692F79E1BA9693003F85D18
                            SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                            SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                            SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                            Malicious:false
                            Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                            C:\Program Files (x86)\Windows NT\res.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):2464593
                            Entropy (8bit):7.999917259281932
                            Encrypted:true
                            SSDEEP:49152:WYPvFRd5ZMtePny2zkkc8Q84KToeHHzc0U8XZgqdFYUGYvErIXSn4:xV9KQnRzN4Kk+c0U8p0UG4in4
                            MD5:A9393518652F0990369819A8337C6AD0
                            SHA1:8A7E8D860DC6B115999CDCD9FFD39A05F952FF90
                            SHA-256:0161FBB85C030FCDCC6205E0CF84F22536022278316B7386CC4F899AEFEE6AA6
                            SHA-512:2A57D44F791A3DA95E610FC189DFCFB2EA0D652B6BFB0885FFE31A198D5A66F2E90847466ACA4016E7E02E9061FA6590F90AC2E7A371E50328087038CFCF55FD
                            Malicious:false
                            Preview:7z..'...l+.O.%.....A........q.+.jRB..<Z....m....yy..M..]..*.`........PS...N..6..I..7Z..4:B_..R..<..dB..(..n.5B..).N......[... .p%.......;..4.p....a{.,..W..:n.=....J.....y.:........%g.z..]..>R......{.M...e.N.pa...........z9(.1.o.ee.....d.M.;c...d.}..BW...1[db.~.5..4.V.....4_<.r......me6..jT..>..+./I.vwO.r...z.\.E..x...c.R...x...a.Z/..2R....cC..Y`D.(:..]X.X.........;.$.A...4./..6..md...H..A9DL$.;SxT.o.[.....d...... .|.._.......,.P.(....H...L..i.U..S.a.Z0..E...b...........q.'..^2.....-.. Ao...z..rt.S3P.%tJ.d..#..!..(U...2F....W'.........^:...@.B-,.'...Fbt".p..*.n.M....+5...........D..z_..-...Z..%.lF..W..l./.oY.uic....fqU..q..rH.....KHz..ra.l. ....9o..~.z1.aW...h\l.,..eE..u"..a...4..H.:w.......P...S.{a.V...XJ,[..E..a..M...?.,..N2A.g...R8.c.q...0.m.o.....R.|\.]"..n..., .{.J....x......F.9R.W...G.d;n....X.{.....3m-H.....x..Bo..,.LH...?...........@h\..*..._..i..... ..&.b....-._...\D.e.m...(.,2...>..e{..O:.X$A...uCB}...|z!..<E!.n.y..m8)....k.....@...? .

                            C:\Program Files (x86)\Windows NT\tProtect.dll

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):63640
                            Entropy (8bit):6.482810107683822
                            Encrypted:false
                            SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                            MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                            SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                            SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                            SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 9%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\task.xml

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):4096
                            Entropy (8bit):3.344567528038744
                            Encrypted:false
                            SSDEEP:48:dXKLzDlniPLL6w0QldOVQOj933ODOiTdKbKsz72eW+5yF:dXazDlniP6whldOVQOj6dKbKsz7
                            MD5:AE3812B9995E6A5AF22288E194BAAA96
                            SHA1:39FC47ACD37354E4266CA3B4196F2A588B2BA9E9
                            SHA-256:253E19D5392A7ACB8800D53EE906CD29322773B2639732903157BE85EBA14D5F
                            SHA-512:64B8984DA418779CAB5EC59E9329271CD89C664E7BF147F5D32678A958D69C301D56A78A2ECCF4C4D94462264E337279ECE35CC32DFE550A87CD22321819E0B8
                            Malicious:false
                            Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\turminoob</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkA

                            C:\Program Files (x86)\Windows NT\trash

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2214437
                            Entropy (8bit):7.999922872901766
                            Encrypted:true
                            SSDEEP:49152:fclXNksaGnc2RfxA3C66xl58vuoM4Ho07R6+KqAK1d2nxNd7qglRhKT:fCXNikmy66xcml4HoCR6+KRK1CLtA
                            MD5:099001127986641A6CFAD5AE7BE891A8
                            SHA1:6D7BD2CE74297577C979AB8C58740A4AD5112C55
                            SHA-256:7DD7150DE32E90C9A417F4748E1282CA270B546945F34ACF2A3243B786902248
                            SHA-512:83FCCE63039B8D5AE10653D8439499A82474B8F7534FBB09F2A672E3D8B11561E1CE154456FD22C241E71D84DD253FC62ADBAE3B67744B0E151DFF707D40B4F3
                            Malicious:false
                            Preview:.W..........9).?PR].h........D?. .Y."......M....m......H..(...Z!....[A.....-x...:.`.~....J.Lx7.m.w.b.H+..Y}......w66V...y.Y..J..^.!z.!.........uq.U.Eq..P........1...4.........x.b.p...h..{...>.>..~...[....U...._.%.....q....M4..Q..6'L..e..$S......h.o..w...#...%.}.=......i.zn.L.....|...*R....00..4T;.!...V.'V..^F..p...E.'M.x..fd.h'(.`..}.).....^........Jf@..2k.LQ&....lu.Z7c.0....g.=T.}^...Y.Nry.b.............[.d~.-<.>..>.._.t...K.AU!.j.........?E|_Hx.....d...a.[...".ni.._.U...!..R...R.Z&...I...Y......r...$.....V8.q..|.....*y.8..P....4o.EG.... .......iQ7...=.bK.7iz...N.Z$U.a.Q.Z..9...8>..J.........z0.)g.W;..r.Y9.C..O.....~..q. ...=%z..J.I%.....!Q........B;...WM4.......e..c......u......\.q..<...U;.x........oN..}....R".\.....2.6.V2..?9..vl.dka.X....j.K.7..z.NI....;.C.j. ...@....v..;.....1.....r.2,.t..H...7:...s.3.`6.(J!W.Oi..b.Vr..LsI4.O.....(.^.!6..m.5..v?..+."H..+...-.....I.%...X..s4....u..g..<eQ..g....".........S..{.....#d$s........OUH

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):1.1940658735648508
                            Encrypted:false
                            SSDEEP:3:NlllulxmH/lZ:NllUg
                            MD5:D904BDD752B6F23D81E93ECA3BD8E0F3
                            SHA1:026D8B0D0F79861746760B0431AD46BAD2A01676
                            SHA-256:B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
                            SHA-512:5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
                            Malicious:false
                            Preview:@...e................................. ..............@..........

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10u5034m.y25.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bpssryq1.n1d.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vrfxavtm.53e.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xx0lxbqp.d2c.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\is-33QTC.tmp\_isetup\_setup64.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-33QTC.tmp\update.vbc

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3621376
                            Entropy (8bit):7.006090025798393
                            Encrypted:false
                            SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                            MD5:FCADEAE28FCC52FD286350DFEECD82E5
                            SHA1:48290AA098DEDE53C457FC774063C3198754A161
                            SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                            SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 26%
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp

                            Download File
                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3366912
                            Entropy (8bit):6.530557407809864
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:0C60D7DFC89698F75CB7C33C3D3DFF44
                            SHA1:2456CDD682D6A25EB97E65F087ED2F9EE5A46EE7
                            SHA-256:76D8A8B8E3E5B039D4C8916B2BAA572D6C3BCD679A8EE100B97C0AEF39C983B1
                            SHA-512:12273188E8AA10A1F4753A4D4D2E35116E855EA6D7D39A201D1B58073E1C79EF9521B2C4EE7A218B8B0974974AB3DBE84148B45CBE0D8845557889BEC5413CE0
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                            C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp

                            Download File
                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3366912
                            Entropy (8bit):6.530557407809864
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:0C60D7DFC89698F75CB7C33C3D3DFF44
                            SHA1:2456CDD682D6A25EB97E65F087ED2F9EE5A46EE7
                            SHA-256:76D8A8B8E3E5B039D4C8916B2BAA572D6C3BCD679A8EE100B97C0AEF39C983B1
                            SHA-512:12273188E8AA10A1F4753A4D4D2E35116E855EA6D7D39A201D1B58073E1C79EF9521B2C4EE7A218B8B0974974AB3DBE84148B45CBE0D8845557889BEC5413CE0
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                            C:\Users\user\AppData\Local\Temp\is-9OESO.tmp\_isetup\_setup64.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-9OESO.tmp\update.vbc

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3621376
                            Entropy (8bit):7.006090025798393
                            Encrypted:false
                            SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                            MD5:FCADEAE28FCC52FD286350DFEECD82E5
                            SHA1:48290AA098DEDE53C457FC774063C3198754A161
                            SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                            SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 26%
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                            \Device\ConDrv

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:ASCII text, with CRLF, CR line terminators
                            Category:dropped
                            Size (bytes):406
                            Entropy (8bit):5.117520345541057
                            Encrypted:false
                            SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                            MD5:9200058492BCA8F9D88B4877F842C148
                            SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                            SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                            SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                            Malicious:false
                            Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.956955410854398
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 98.04%
                            • Inno Setup installer (109748/4) 1.08%
                            • InstallShield setup (43055/19) 0.42%
                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                            File name:#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe
                            File size:8'321'941 bytes
                            MD5:03ea7f971fc545436e2e3dc7dcb4b3ce
                            SHA1:6bf3648177bdf3c058370ff1b1497941e57d97f4
                            SHA256:cd2784184b63ef5c32bb840092c2eb00a4f52ef8ec0ea8ef23277dce0c2d9a12
                            SHA512:9405c3a94401f260ea35d80edf24eaf0fdeb9f8ae2449146c97d1ff51721e4812dd02d195336d3b3072afc1c7f1980794f3e2bdbc5860893520fe59025f189b5
                            SSDEEP:196608:lk0HqMrtTdrZEQyhgfrA6rcml1Eb/oae9UuYaFBX:lk0K6rKQyhM4mlecNUuYar
                            TLSH:A1862322F2CBE03EE05E0B3B16B2B15454FB6A116522BD568AECB4ECCF351901D3E657
                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                            File Icon

                            Icon Hash:0c0c2d33ceec80aa

                            Static PE Info

                            General

                            Entrypoint:0x4a83bc
                            Entrypoint Section:.itext
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:1
                            File Version Major:6
                            File Version Minor:1
                            Subsystem Version Major:6
                            Subsystem Version Minor:1
                            Import Hash:40ab50289f7ef5fae60801f88d4541fc

                            Entrypoint Preview

                            Instruction
                            push ebp
                            mov ebp, esp
                            add esp, FFFFFFA4h
                            push ebx
                            push esi
                            push edi
                            xor eax, eax
                            mov dword ptr [ebp-3Ch], eax
                            mov dword ptr [ebp-40h], eax
                            mov dword ptr [ebp-5Ch], eax
                            mov dword ptr [ebp-30h], eax
                            mov dword ptr [ebp-38h], eax
                            mov dword ptr [ebp-34h], eax
                            mov dword ptr [ebp-2Ch], eax
                            mov dword ptr [ebp-28h], eax
                            mov dword ptr [ebp-14h], eax
                            mov eax, 004A2EBCh
                            call 00007F01752783A5h
                            xor eax, eax
                            push ebp
                            push 004A8AC1h
                            push dword ptr fs:[eax]
                            mov dword ptr fs:[eax], esp
                            xor edx, edx
                            push ebp
                            push 004A8A7Bh
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            mov eax, dword ptr [004B0634h]
                            call 00007F0175309D2Bh
                            call 00007F017530987Eh
                            lea edx, dword ptr [ebp-14h]
                            xor eax, eax
                            call 00007F0175304558h
                            mov edx, dword ptr [ebp-14h]
                            mov eax, 004B41F4h
                            call 00007F0175272453h
                            push 00000002h
                            push 00000000h
                            push 00000001h
                            mov ecx, dword ptr [004B41F4h]
                            mov dl, 01h
                            mov eax, dword ptr [0049CD14h]
                            call 00007F0175305883h
                            mov dword ptr [004B41F8h], eax
                            xor edx, edx
                            push ebp
                            push 004A8A27h
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            call 00007F0175309DB3h
                            mov dword ptr [004B4200h], eax
                            mov eax, dword ptr [004B4200h]
                            cmp dword ptr [eax+0Ch], 01h
                            jne 00007F0175310A9Ah
                            mov eax, dword ptr [004B4200h]
                            mov edx, 00000028h
                            call 00007F0175306178h
                            mov edx, dword ptr [004B4200h]

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            .rsrc0xcb0000x110000x110004f47b74c29e20ebd47a1e32e38e1dbeaFalse0.18768669577205882data3.722210548314605IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                            RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                            RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                            RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                            RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                            RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                            RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                            RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                            RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                            RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                            RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                            RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                            RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                            RT_STRING0xd8e000x3f8data0.3198818897637795
                            RT_STRING0xd91f80x2dcdata0.36475409836065575
                            RT_STRING0xd94d40x430data0.40578358208955223
                            RT_STRING0xd99040x44cdata0.38636363636363635
                            RT_STRING0xd9d500x2d4data0.39226519337016574
                            RT_STRING0xda0240xb8data0.6467391304347826
                            RT_STRING0xda0dc0x9cdata0.6410256410256411
                            RT_STRING0xda1780x374data0.4230769230769231
                            RT_STRING0xda4ec0x398data0.3358695652173913
                            RT_STRING0xda8840x368data0.3795871559633027
                            RT_STRING0xdabec0x2a4data0.4275147928994083
                            RT_RCDATA0xdae900x10data1.5
                            RT_RCDATA0xdaea00x310data0.6173469387755102
                            RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                            RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                            RT_VERSION0xdb2980x584dataEnglishUnited States0.2754957507082153
                            RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                            Imports

                            DLLImport
                            kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                            comctl32.dllInitCommonControls
                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                            advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                            Exports

                            NameOrdinalAddress
                            __dbk_fcall_wrapper20x40fc10
                            dbkFCallWrapperAddr10x4b063c

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            No network behavior found

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:22:32:59
                            Start date:24/12/2024
                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe"
                            Imagebase:0xae0000
                            File size:8'321'941 bytes
                            MD5 hash:03EA7F971FC545436E2E3DC7DCB4B3CE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:22:33:00
                            Start date:24/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-5F7TG.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$10418,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe"
                            Imagebase:0xa10000
                            File size:3'366'912 bytes
                            MD5 hash:0C60D7DFC89698F75CB7C33C3D3DFF44
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:3
                            Start time:22:33:00
                            Start date:24/12/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                            Imagebase:0x7ff7be880000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:22:33:00
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:22:33:00
                            Start date:24/12/2024
                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" /VERYSILENT
                            Imagebase:0xae0000
                            File size:8'321'941 bytes
                            MD5 hash:03EA7F971FC545436E2E3DC7DCB4B3CE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:false

                            General

                            Target ID:6
                            Start time:22:33:02
                            Start date:24/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-5ELGV.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$30422,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" /VERYSILENT
                            Imagebase:0x940000
                            File size:3'366'912 bytes
                            MD5 hash:0C60D7DFC89698F75CB7C33C3D3DFF44
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:7
                            Start time:22:33:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:8
                            Start time:22:33:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:9
                            Start time:22:33:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:10
                            Start time:22:33:04
                            Start date:24/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                            Imagebase:0xeb0000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:11
                            Start time:22:33:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:12
                            Start time:22:33:06
                            Start date:24/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                            Imagebase:0xeb0000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:13
                            Start time:22:33:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:14
                            Start time:22:33:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Imagebase:0x7ff6ef0c0000
                            File size:496'640 bytes
                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:15
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:16
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:17
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:18
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:19
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:20
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:21
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:22
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:23
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:24
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:25
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:26
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:27
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:28
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:29
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:30
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:31
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:32
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:33
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:34
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:35
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:36
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:37
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:38
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:39
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:40
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:41
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:42
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:43
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:44
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:45
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:46
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:47
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:48
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:49
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:50
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:51
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:52
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:53
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:54
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:55
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:56
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:57
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:58
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:59
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:60
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:61
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:62
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:63
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:64
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:65
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:66
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:67
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:68
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:69
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:70
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:71
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:72
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:73
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:74
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:75
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:76
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:77
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:78
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:79
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:80
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:81
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:82
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:83
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:84
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:85
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:86
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:87
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:88
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:89
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:90
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:91
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:92
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:93
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:94
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:95
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:96
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:97
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:98
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:99
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:100
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:101
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:102
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:103
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:104
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:105
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:106
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7eb920000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:107
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:108
                            Start time:22:33:12
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff664950000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:266
                            Start time:22:33:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\Conhost.exe
                            Wow64 process (32bit):
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:
                            Has administrator privileges:
                            Programmed in:C, C++ or other language
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:1.3%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:5.2%
                              Total number of Nodes:737
                              Total number of Limit Nodes:9
                              execution_graph 97707 6c8601c3 97708 6c8601d5 __dosmaperr 97707->97708 97709 6c8601ed 97707->97709 97709->97708 97711 6c860238 __dosmaperr 97709->97711 97712 6c860267 97709->97712 97754 6c853810 18 API calls __cftoe 97711->97754 97713 6c860280 97712->97713 97714 6c86029b __dosmaperr 97712->97714 97716 6c8602d7 __wsopen_s 97712->97716 97713->97714 97735 6c860285 97713->97735 97747 6c853810 18 API calls __cftoe 97714->97747 97748 6c857eab HeapFree GetLastError __dosmaperr 97716->97748 97718 6c86042e 97721 6c8604a4 97718->97721 97724 6c860447 GetConsoleMode 97718->97724 97719 6c8602f7 97749 6c857eab HeapFree GetLastError __dosmaperr 97719->97749 97723 6c8604a8 ReadFile 97721->97723 97726 6c8604c2 97723->97726 97727 6c86051c GetLastError 97723->97727 97724->97721 97728 6c860458 97724->97728 97725 6c8602fe 97731 6c8602b2 __dosmaperr __wsopen_s 97725->97731 97750 6c85e359 20 API calls __wsopen_s 97725->97750 97726->97727 97733 6c860499 97726->97733 97727->97731 97728->97723 97729 6c86045e ReadConsoleW 97728->97729 97729->97733 97734 6c86047a GetLastError 97729->97734 97751 6c857eab HeapFree GetLastError __dosmaperr 97731->97751 97733->97731 97736 6c8604e7 97733->97736 97737 6c8604fe 97733->97737 97734->97731 97742 6c8650d5 97735->97742 97752 6c8605ee 23 API calls 3 library calls 97736->97752 97737->97731 97738 6c860515 97737->97738 97753 6c8608a6 21 API calls __wsopen_s 97738->97753 97741 6c86051a 97741->97731 97743 6c8650e2 97742->97743 97745 6c8650ef 97742->97745 97743->97718 97744 6c8650fb 97744->97718 97745->97744 97755 6c853810 18 API calls __cftoe 97745->97755 97747->97731 97748->97719 97749->97725 97750->97735 97751->97708 97752->97731 97753->97741 97754->97708 97755->97743 97756 6c85262f 97757 6c85263b __wsopen_s 97756->97757 97758 6c852642 GetLastError ExitThread 97757->97758 97759 6c85264f 97757->97759 97768 6c8580a2 GetLastError 97759->97768 97765 6c85266b 97802 6c85259a 16 API calls 2 library calls 97765->97802 97767 6c85268d 97769 6c8580bf 97768->97769 97770 6c8580b9 97768->97770 97774 6c8580c5 SetLastError 97769->97774 97804 6c85a252 6 API calls std::_Lockit::_Lockit 97769->97804 97803 6c85a213 6 API calls std::_Lockit::_Lockit 97770->97803 97773 6c8580dd 97773->97774 97775 6c8580e1 97773->97775 97781 6c852654 97774->97781 97782 6c858159 97774->97782 97805 6c85a8d5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 97775->97805 97777 6c8580ed 97779 6c8580f5 97777->97779 97780 6c85810c 97777->97780 97806 6c85a252 6 API calls std::_Lockit::_Lockit 97779->97806 97808 6c85a252 6 API calls std::_Lockit::_Lockit 97780->97808 97796 6c85d456 97781->97796 97811 6c8541b9 37 API calls std::locale::_Setgloballocale 97782->97811 97787 6c858118 97789 6c85812d 97787->97789 97790 6c85811c 97787->97790 97788 6c858103 97807 6c857eab HeapFree GetLastError __dosmaperr 97788->97807 97810 6c857eab HeapFree GetLastError __dosmaperr 97789->97810 97809 6c85a252 6 API calls std::_Lockit::_Lockit 97790->97809 97793 6c858109 97793->97774 97795 6c85813f 97795->97774 97797 6c85d468 GetPEB 97796->97797 97800 6c85265f 97796->97800 97798 6c85d47b 97797->97798 97797->97800 97812 6c85a508 5 API calls std::_Lockit::_Lockit 97798->97812 97800->97765 97801 6c85a45f 5 API calls std::_Lockit::_Lockit 97800->97801 97801->97765 97802->97767 97803->97769 97804->97773 97805->97777 97806->97788 97807->97793 97808->97787 97809->97788 97810->97795 97812->97800 97813 6c6df150 97815 6c6defbe 97813->97815 97814 6c6df243 CreateFileA 97817 6c6df2a7 97814->97817 97815->97814 97816 6c6e02ca 97817->97816 97818 6c6e02ac GetCurrentProcess TerminateProcess 97817->97818 97818->97816 97819 6c6c3d62 97821 6c6c3bc0 97819->97821 97820 6c6c3e8a GetCurrentThread NtSetInformationThread 97822 6c6c3eea 97820->97822 97821->97820 97823 6c6d3b72 97836 6c84a133 97823->97836 97826 6c6e639e 97899 6c853820 18 API calls 2 library calls 97826->97899 97832 6c6d37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 97832->97826 97850 6c83e090 97832->97850 97856 6c6e6ba0 97832->97856 97875 6c6e6e60 97832->97875 97885 6c6e7090 97832->97885 97898 6c70e010 67 API calls 97832->97898 97838 6c84a138 97836->97838 97837 6c84a152 97837->97832 97838->97837 97841 6c84a154 std::_Facet_Register 97838->97841 97900 6c852704 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 97838->97900 97840 6c84afb3 std::_Facet_Register 97904 6c84ca69 RaiseException 97840->97904 97841->97840 97901 6c84ca69 RaiseException 97841->97901 97843 6c84b7ac IsProcessorFeaturePresent 97849 6c84b7d1 97843->97849 97845 6c84af73 97902 6c84ca69 RaiseException 97845->97902 97847 6c84af93 std::invalid_argument::invalid_argument 97903 6c84ca69 RaiseException 97847->97903 97849->97832 97851 6c83e0a6 FindFirstFileA 97850->97851 97852 6c83e0a4 97850->97852 97853 6c83e0e0 97851->97853 97852->97851 97854 6c83e13c 97853->97854 97855 6c83e0e2 FindClose 97853->97855 97854->97832 97855->97853 97857 6c6e6bd5 97856->97857 97905 6c712020 97857->97905 97859 6c6e6c68 97860 6c84a133 std::_Facet_Register 4 API calls 97859->97860 97861 6c6e6ca0 97860->97861 97922 6c84aa17 97861->97922 97863 6c6e6cb4 97934 6c711d90 97863->97934 97866 6c6e6d8e 97866->97832 97868 6c6e6dc8 97942 6c7126e0 24 API calls 4 library calls 97868->97942 97870 6c6e6dda 97943 6c84ca69 RaiseException 97870->97943 97872 6c6e6def 97944 6c70e010 67 API calls 97872->97944 97874 6c6e6e0f 97874->97832 97876 6c6e6e9f 97875->97876 97880 6c6e6eb3 97876->97880 98307 6c713560 32 API calls std::_Xinvalid_argument 97876->98307 97879 6c6e6f5b 97881 6c6e6f6e 97879->97881 98308 6c7137e0 32 API calls std::_Xinvalid_argument 97879->98308 97880->97879 98309 6c712250 30 API calls 97880->98309 98310 6c7126e0 24 API calls 4 library calls 97880->98310 98311 6c84ca69 RaiseException 97880->98311 97881->97832 97886 6c6e709e 97885->97886 97889 6c6e70d1 97885->97889 98312 6c7101f0 97886->98312 97887 6c6e7183 97887->97832 97889->97887 98316 6c712250 30 API calls 97889->98316 97892 6c854208 67 API calls 97892->97889 97893 6c6e71ae 98317 6c712340 24 API calls 97893->98317 97895 6c6e71be 98318 6c84ca69 RaiseException 97895->98318 97897 6c6e71c9 97898->97832 97900->97838 97901->97845 97902->97847 97903->97840 97904->97843 97906 6c84a133 std::_Facet_Register 4 API calls 97905->97906 97907 6c71207e 97906->97907 97908 6c84aa17 43 API calls 97907->97908 97909 6c712092 97908->97909 97945 6c712f60 42 API calls 4 library calls 97909->97945 97911 6c7120c8 97912 6c71210d 97911->97912 97913 6c712136 97911->97913 97914 6c712120 97912->97914 97946 6c84a67e 9 API calls 2 library calls 97912->97946 97947 6c712250 30 API calls 97913->97947 97914->97859 97917 6c71215b 97948 6c712340 24 API calls 97917->97948 97919 6c712171 97949 6c84ca69 RaiseException 97919->97949 97921 6c71217c 97921->97859 97923 6c84aa23 __EH_prolog3 97922->97923 97950 6c84a5a5 97923->97950 97928 6c84aa41 97964 6c84aaaa 39 API calls std::locale::_Setgloballocale 97928->97964 97929 6c84aa5f 97956 6c84a5d6 97929->97956 97930 6c84aa9c 97930->97863 97932 6c84aa49 97965 6c84a8a1 HeapFree GetLastError _Yarn 97932->97965 97935 6c6e6d5d 97934->97935 97936 6c711ddc 97934->97936 97935->97866 97941 6c712250 30 API calls 97935->97941 97970 6c84ab37 97936->97970 97940 6c711e82 97941->97868 97942->97870 97943->97872 97944->97874 97945->97911 97946->97914 97947->97917 97948->97919 97949->97921 97951 6c84a5b4 97950->97951 97952 6c84a5bb 97950->97952 97966 6c853abd 6 API calls std::_Lockit::_Lockit 97951->97966 97954 6c84a5b9 97952->97954 97967 6c84bc7b EnterCriticalSection 97952->97967 97954->97929 97963 6c84a920 6 API calls 2 library calls 97954->97963 97957 6c84a5e0 97956->97957 97958 6c853acb 97956->97958 97960 6c84a5f3 97957->97960 97968 6c84bc89 LeaveCriticalSection 97957->97968 97969 6c853aa6 LeaveCriticalSection 97958->97969 97960->97930 97962 6c853ad2 97962->97930 97963->97928 97964->97932 97965->97929 97966->97954 97967->97954 97968->97960 97969->97962 97971 6c84ab40 97970->97971 97977 6c711dea 97971->97977 97979 6c85343a 97971->97979 97973 6c84ab8c 97973->97977 97990 6c853148 65 API calls 97973->97990 97975 6c84aba7 97975->97977 97991 6c854208 97975->97991 97977->97935 97978 6c84fc53 18 API calls __cftoe 97977->97978 97978->97940 97980 6c853445 __wsopen_s 97979->97980 97981 6c853458 97980->97981 97982 6c853478 97980->97982 98016 6c853810 18 API calls __cftoe 97981->98016 97984 6c853468 97982->97984 98002 6c85e4fc 97982->98002 97984->97973 97990->97975 97992 6c854214 __wsopen_s 97991->97992 97993 6c854233 97992->97993 97994 6c85421e 97992->97994 97995 6c85422e 97993->97995 98197 6c84fc99 EnterCriticalSection 97993->98197 98212 6c853810 18 API calls __cftoe 97994->98212 97995->97977 97997 6c854250 98198 6c85428c 97997->98198 98000 6c85425b 98213 6c854282 LeaveCriticalSection 98000->98213 98003 6c85e508 __wsopen_s 98002->98003 98018 6c853a8f EnterCriticalSection 98003->98018 98005 6c85e516 98019 6c85e5a0 98005->98019 98010 6c85e662 98011 6c85e781 98010->98011 98043 6c85e804 98011->98043 98015 6c8534bc 98017 6c8534e5 LeaveCriticalSection 98015->98017 98016->97984 98017->97984 98018->98005 98027 6c85e5c3 98019->98027 98020 6c85e523 98033 6c85e55c 98020->98033 98021 6c85e61b 98038 6c85a8d5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 98021->98038 98023 6c85e624 98039 6c857eab HeapFree GetLastError __dosmaperr 98023->98039 98026 6c85e62d 98026->98020 98040 6c85a30f 6 API calls std::_Lockit::_Lockit 98026->98040 98027->98020 98027->98021 98027->98027 98036 6c84fc99 EnterCriticalSection 98027->98036 98037 6c84fcad LeaveCriticalSection 98027->98037 98030 6c85e64c 98041 6c84fc99 EnterCriticalSection 98030->98041 98032 6c85e65f 98032->98020 98042 6c853aa6 LeaveCriticalSection 98033->98042 98035 6c853493 98035->97984 98035->98010 98036->98027 98037->98027 98038->98023 98039->98026 98040->98030 98041->98032 98042->98035 98044 6c85e823 98043->98044 98045 6c85e836 98044->98045 98049 6c85e84b 98044->98049 98059 6c853810 18 API calls __cftoe 98045->98059 98047 6c85e797 98047->98015 98056 6c8676ce 98047->98056 98049->98049 98054 6c85e96b 98049->98054 98060 6c867598 37 API calls __cftoe 98049->98060 98051 6c85e9bb 98051->98054 98061 6c867598 37 API calls __cftoe 98051->98061 98053 6c85e9d9 98053->98054 98062 6c867598 37 API calls __cftoe 98053->98062 98054->98047 98063 6c853810 18 API calls __cftoe 98054->98063 98064 6c867a86 98056->98064 98059->98047 98060->98051 98061->98053 98062->98054 98063->98047 98065 6c867a92 __wsopen_s 98064->98065 98066 6c867a99 98065->98066 98067 6c867ac4 98065->98067 98082 6c853810 18 API calls __cftoe 98066->98082 98073 6c8676ee 98067->98073 98072 6c8676e9 98072->98015 98084 6c853dbb 98073->98084 98079 6c867724 98080 6c867756 98079->98080 98124 6c857eab HeapFree GetLastError __dosmaperr 98079->98124 98083 6c867b1b LeaveCriticalSection __wsopen_s 98080->98083 98082->98072 98083->98072 98125 6c84f3db 98084->98125 98087 6c853ddf 98089 6c84f4e6 98087->98089 98134 6c84f53e 98089->98134 98091 6c84f4fe 98091->98079 98092 6c86775c 98091->98092 98149 6c867bdc 98092->98149 98098 6c867882 GetFileType 98100 6c8678d4 98098->98100 98101 6c86788d GetLastError 98098->98101 98099 6c86778e __dosmaperr 98099->98079 98179 6c864ea0 SetStdHandle __dosmaperr __wsopen_s 98100->98179 98178 6c8530e2 __dosmaperr 98101->98178 98102 6c867857 GetLastError 98102->98099 98104 6c867805 98104->98098 98104->98102 98177 6c867b47 CreateFileW 98104->98177 98105 6c86789b CloseHandle 98105->98099 98123 6c8678c4 98105->98123 98108 6c86784a 98108->98098 98108->98102 98109 6c8678f5 98110 6c867941 98109->98110 98180 6c867d56 70 API calls 2 library calls 98109->98180 98114 6c867948 98110->98114 98194 6c867e00 70 API calls 2 library calls 98110->98194 98113 6c867976 98113->98114 98115 6c867984 98113->98115 98181 6c85f015 98114->98181 98115->98099 98117 6c867a00 CloseHandle 98115->98117 98195 6c867b47 CreateFileW 98117->98195 98119 6c867a2b 98120 6c867a35 GetLastError 98119->98120 98119->98123 98121 6c867a41 __dosmaperr 98120->98121 98196 6c864e0f SetStdHandle __dosmaperr __wsopen_s 98121->98196 98123->98099 98124->98080 98126 6c84f3f2 98125->98126 98127 6c84f3fb 98125->98127 98126->98087 98133 6c85a0c5 5 API calls std::_Lockit::_Lockit 98126->98133 98127->98126 98128 6c8580a2 __Getctype 37 API calls 98127->98128 98129 6c84f41b 98128->98129 98130 6c858618 __Getctype 37 API calls 98129->98130 98131 6c84f431 98130->98131 98132 6c858645 __cftoe 37 API calls 98131->98132 98132->98126 98133->98087 98135 6c84f566 98134->98135 98136 6c84f54c 98134->98136 98138 6c84f58c 98135->98138 98139 6c84f56d 98135->98139 98137 6c84f4cc __wsopen_s HeapFree GetLastError 98136->98137 98140 6c84f556 __dosmaperr 98137->98140 98141 6c857f33 __fassign MultiByteToWideChar 98138->98141 98139->98140 98142 6c84f48d __wsopen_s HeapFree GetLastError 98139->98142 98140->98091 98144 6c84f59b 98141->98144 98142->98140 98143 6c84f5a2 GetLastError 98143->98140 98144->98143 98145 6c84f5c8 98144->98145 98146 6c84f48d __wsopen_s HeapFree GetLastError 98144->98146 98145->98140 98147 6c857f33 __fassign MultiByteToWideChar 98145->98147 98146->98145 98148 6c84f5df 98147->98148 98148->98140 98148->98143 98150 6c867c17 98149->98150 98152 6c867bfd 98149->98152 98151 6c867b6c __wsopen_s 18 API calls 98150->98151 98155 6c867c4f 98151->98155 98152->98150 98153 6c853810 __cftoe 18 API calls 98152->98153 98153->98150 98154 6c867c7e 98156 6c869001 __wsopen_s 18 API calls 98154->98156 98161 6c867779 98154->98161 98155->98154 98158 6c853810 __cftoe 18 API calls 98155->98158 98157 6c867ccc 98156->98157 98159 6c867d49 98157->98159 98157->98161 98158->98154 98160 6c85383d __Getctype 11 API calls 98159->98160 98162 6c867d55 98160->98162 98161->98099 98163 6c864cfc 98161->98163 98164 6c864d08 __wsopen_s 98163->98164 98165 6c853a8f std::_Lockit::_Lockit EnterCriticalSection 98164->98165 98168 6c864d0f 98165->98168 98166 6c864d56 98169 6c864e06 __wsopen_s LeaveCriticalSection 98166->98169 98167 6c864d34 98170 6c864f32 __wsopen_s 11 API calls 98167->98170 98168->98166 98168->98167 98173 6c864da3 EnterCriticalSection 98168->98173 98171 6c864d76 98169->98171 98172 6c864d39 98170->98172 98171->98099 98176 6c867b47 CreateFileW 98171->98176 98172->98166 98175 6c865080 __wsopen_s EnterCriticalSection 98172->98175 98173->98166 98174 6c864db0 LeaveCriticalSection 98173->98174 98174->98168 98175->98166 98176->98104 98177->98108 98178->98105 98179->98109 98180->98110 98182 6c864c92 __wsopen_s 18 API calls 98181->98182 98183 6c85f025 98182->98183 98184 6c85f02b 98183->98184 98186 6c864c92 __wsopen_s 18 API calls 98183->98186 98193 6c85f05d 98183->98193 98185 6c864e0f __wsopen_s SetStdHandle 98184->98185 98190 6c85f083 __dosmaperr 98185->98190 98188 6c85f054 98186->98188 98187 6c864c92 __wsopen_s 18 API calls 98189 6c85f069 CloseHandle 98187->98189 98191 6c864c92 __wsopen_s 18 API calls 98188->98191 98189->98184 98192 6c85f075 GetLastError 98189->98192 98190->98099 98191->98193 98192->98184 98193->98184 98193->98187 98194->98113 98195->98119 98196->98123 98197->97997 98199 6c8542ae 98198->98199 98200 6c854299 98198->98200 98205 6c8542a9 98199->98205 98214 6c8543a9 98199->98214 98236 6c853810 18 API calls __cftoe 98200->98236 98205->98000 98208 6c8542d1 98229 6c85ef88 98208->98229 98210 6c8542d7 98210->98205 98237 6c857eab HeapFree GetLastError __dosmaperr 98210->98237 98212->97995 98213->97995 98215 6c8543c1 98214->98215 98216 6c8542c3 98214->98216 98215->98216 98217 6c85d350 18 API calls 98215->98217 98220 6c85be2e 98216->98220 98218 6c8543df 98217->98218 98238 6c85f25c 98218->98238 98221 6c85be45 98220->98221 98222 6c8542cb 98220->98222 98221->98222 98294 6c857eab HeapFree GetLastError __dosmaperr 98221->98294 98224 6c85d350 98222->98224 98225 6c85d371 98224->98225 98226 6c85d35c 98224->98226 98225->98208 98295 6c853810 18 API calls __cftoe 98226->98295 98228 6c85d36c 98228->98208 98230 6c85efae 98229->98230 98234 6c85ef99 __dosmaperr 98229->98234 98231 6c85efd5 98230->98231 98233 6c85eff7 __dosmaperr 98230->98233 98296 6c85f0b1 98231->98296 98304 6c853810 18 API calls __cftoe 98233->98304 98234->98210 98236->98205 98237->98205 98239 6c85f268 __wsopen_s 98238->98239 98240 6c85f2ba 98239->98240 98242 6c85f323 __dosmaperr 98239->98242 98245 6c85f270 __dosmaperr 98239->98245 98249 6c865080 EnterCriticalSection 98240->98249 98279 6c853810 18 API calls __cftoe 98242->98279 98243 6c85f2c0 98247 6c85f2dc __dosmaperr 98243->98247 98250 6c85f34e 98243->98250 98245->98216 98278 6c85f31b LeaveCriticalSection __wsopen_s 98247->98278 98249->98243 98251 6c85f370 98250->98251 98277 6c85f38c __dosmaperr 98250->98277 98252 6c85f3c4 98251->98252 98253 6c85f374 __dosmaperr 98251->98253 98254 6c85f3d7 98252->98254 98288 6c85e359 20 API calls __wsopen_s 98252->98288 98287 6c853810 18 API calls __cftoe 98253->98287 98280 6c85f530 98254->98280 98259 6c85f3ed 98261 6c85f416 98259->98261 98262 6c85f3f1 98259->98262 98260 6c85f42c 98263 6c85f485 WriteFile 98260->98263 98264 6c85f440 98260->98264 98290 6c85f5a1 43 API calls 5 library calls 98261->98290 98262->98277 98289 6c85f94b 6 API calls __wsopen_s 98262->98289 98266 6c85f4a9 GetLastError 98263->98266 98263->98277 98267 6c85f475 98264->98267 98268 6c85f44b 98264->98268 98266->98277 98293 6c85f9b3 7 API calls 2 library calls 98267->98293 98271 6c85f465 98268->98271 98272 6c85f450 98268->98272 98292 6c85fb77 8 API calls 3 library calls 98271->98292 98275 6c85f455 98272->98275 98272->98277 98274 6c85f463 98274->98277 98291 6c85fa8e 7 API calls 2 library calls 98275->98291 98277->98247 98278->98245 98279->98245 98281 6c8650d5 __wsopen_s 18 API calls 98280->98281 98282 6c85f541 98281->98282 98283 6c85f3e8 98282->98283 98284 6c8580a2 __Getctype 37 API calls 98282->98284 98283->98259 98283->98260 98285 6c85f564 98284->98285 98285->98283 98286 6c85f57e GetConsoleMode 98285->98286 98286->98283 98287->98277 98288->98254 98289->98277 98290->98277 98291->98274 98292->98274 98293->98274 98294->98222 98295->98228 98297 6c85f0bd __wsopen_s 98296->98297 98305 6c865080 EnterCriticalSection 98297->98305 98299 6c85f0cb 98300 6c85f015 __wsopen_s 21 API calls 98299->98300 98301 6c85f0f8 98299->98301 98300->98301 98306 6c85f131 LeaveCriticalSection __wsopen_s 98301->98306 98303 6c85f11a 98303->98234 98304->98234 98305->98299 98306->98303 98307->97880 98308->97881 98309->97880 98310->97880 98311->97880 98313 6c71022e 98312->98313 98314 6c6e70c4 98313->98314 98319 6c854ecb 98313->98319 98314->97892 98316->97893 98317->97895 98318->97897 98320 6c854ef6 98319->98320 98321 6c854ed9 98319->98321 98320->98313 98321->98320 98322 6c854ee6 98321->98322 98323 6c854efa 98321->98323 98335 6c853810 18 API calls __cftoe 98322->98335 98327 6c8550f2 98323->98327 98328 6c8550fe __wsopen_s 98327->98328 98336 6c84fc99 EnterCriticalSection 98328->98336 98330 6c85510c 98337 6c8550af 98330->98337 98334 6c854f2c 98334->98313 98335->98320 98336->98330 98345 6c85bc96 98337->98345 98343 6c8550e9 98344 6c855141 LeaveCriticalSection 98343->98344 98344->98334 98346 6c85d350 18 API calls 98345->98346 98347 6c85bca7 98346->98347 98348 6c8650d5 __wsopen_s 18 API calls 98347->98348 98350 6c85bcad __wsopen_s 98348->98350 98349 6c8550c3 98352 6c854f2e 98349->98352 98350->98349 98362 6c857eab HeapFree GetLastError __dosmaperr 98350->98362 98353 6c854f40 98352->98353 98356 6c854f5e 98352->98356 98354 6c854f4e 98353->98354 98353->98356 98359 6c854f76 _Yarn 98353->98359 98363 6c853810 18 API calls __cftoe 98354->98363 98361 6c85bd49 62 API calls 98356->98361 98357 6c8543a9 62 API calls 98357->98359 98358 6c85d350 18 API calls 98358->98359 98359->98356 98359->98357 98359->98358 98360 6c85f25c __wsopen_s 62 API calls 98359->98360 98360->98359 98361->98343 98362->98349 98363->98356 98364 6c6c4b53 98365 6c84a133 std::_Facet_Register 4 API calls 98364->98365 98366 6c6c4b5c _Yarn 98365->98366 98367 6c83e090 2 API calls 98366->98367 98372 6c6c4bae std::ios_base::_Ios_base_dtor 98367->98372 98368 6c6e639e 98567 6c853820 18 API calls 2 library calls 98368->98567 98370 6c6c4cff 98371 6c6c5164 CreateFileA CloseHandle 98376 6c6c51ec 98371->98376 98372->98368 98372->98370 98372->98371 98373 6c6d245a _Yarn _strlen 98372->98373 98373->98368 98375 6c83e090 2 API calls 98373->98375 98389 6c6d2a83 std::ios_base::_Ios_base_dtor 98375->98389 98522 6c848810 OpenSCManagerA 98376->98522 98378 6c6cfc00 98559 6c848930 CreateToolhelp32Snapshot 98378->98559 98381 6c84a133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 98416 6c6c5478 std::ios_base::_Ios_base_dtor _Yarn _strlen 98381->98416 98383 6c6d37d0 Sleep 98428 6c6d37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 98383->98428 98384 6c83e090 2 API calls 98384->98416 98385 6c6e63b2 98568 6c6c15e0 18 API calls std::ios_base::_Ios_base_dtor 98385->98568 98386 6c848930 4 API calls 98404 6c6d053a 98386->98404 98388 6c848930 4 API calls 98410 6c6d12e2 98388->98410 98389->98368 98526 6c830880 98389->98526 98390 6c6e64f8 98391 6c6cffe3 98391->98386 98395 6c6d0abc 98391->98395 98392 6c6e6ba0 104 API calls 98392->98416 98393 6c6e6e60 32 API calls 98393->98416 98395->98373 98395->98388 98396 6c6e7090 77 API calls 98396->98416 98397 6c848930 4 API calls 98397->98395 98398 6c6c6722 98535 6c844860 25 API calls 4 library calls 98398->98535 98399 6c848930 4 API calls 98417 6c6d1dd9 98399->98417 98400 6c6d211c 98400->98373 98403 6c6d241a 98400->98403 98401 6c83e090 2 API calls 98401->98428 98405 6c830880 10 API calls 98403->98405 98404->98395 98404->98397 98406 6c6d244d 98405->98406 98565 6c849450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 98406->98565 98408 6c6d2452 Sleep 98408->98373 98409 6c6c6162 98410->98399 98410->98400 98421 6c6d16ac 98410->98421 98411 6c6c740b 98536 6c8486e0 CreateProcessA 98411->98536 98413 6c848930 4 API calls 98413->98400 98414 6c6e6ba0 104 API calls 98414->98428 98415 6c6e6e60 32 API calls 98415->98428 98416->98368 98416->98378 98416->98381 98416->98384 98416->98392 98416->98393 98416->98396 98416->98398 98416->98409 98534 6c70e010 67 API calls 98416->98534 98417->98400 98417->98413 98418 6c6e7090 77 API calls 98418->98428 98420 6c6c775a _strlen 98420->98368 98422 6c6c7ba9 98420->98422 98423 6c6c7b92 98420->98423 98426 6c6c7b43 _Yarn 98420->98426 98425 6c84a133 std::_Facet_Register 4 API calls 98422->98425 98424 6c84a133 std::_Facet_Register 4 API calls 98423->98424 98424->98426 98425->98426 98427 6c83e090 2 API calls 98426->98427 98437 6c6c7be7 std::ios_base::_Ios_base_dtor 98427->98437 98428->98368 98428->98401 98428->98414 98428->98415 98428->98418 98566 6c70e010 67 API calls 98428->98566 98429 6c8486e0 4 API calls 98440 6c6c8a07 98429->98440 98430 6c6c9d7f 98433 6c84a133 std::_Facet_Register 4 API calls 98430->98433 98431 6c6c9d68 98432 6c84a133 std::_Facet_Register 4 API calls 98431->98432 98435 6c6c9d18 _Yarn 98432->98435 98433->98435 98434 6c6c962c _strlen 98434->98368 98434->98430 98434->98431 98434->98435 98436 6c83e090 2 API calls 98435->98436 98445 6c6c9dbd std::ios_base::_Ios_base_dtor 98436->98445 98437->98368 98437->98429 98437->98434 98438 6c6c8387 98437->98438 98439 6c8486e0 4 API calls 98448 6c6c9120 98439->98448 98440->98439 98441 6c8486e0 4 API calls 98458 6c6ca215 _strlen 98441->98458 98442 6c8486e0 4 API calls 98444 6c6c9624 98442->98444 98443 6c84a133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 98449 6c6ce8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 98443->98449 98540 6c849450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 98444->98540 98445->98368 98445->98441 98445->98449 98447 6c83e090 2 API calls 98447->98449 98448->98442 98449->98368 98449->98443 98449->98447 98450 6c6cf7b1 98449->98450 98451 6c6ced02 Sleep 98449->98451 98558 6c849450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 98450->98558 98470 6c6ce8c1 98451->98470 98453 6c6ce8dd GetCurrentProcess TerminateProcess 98453->98449 98454 6c6ca9bb 98457 6c84a133 std::_Facet_Register 4 API calls 98454->98457 98455 6c6ca9a4 98456 6c84a133 std::_Facet_Register 4 API calls 98455->98456 98465 6c6ca953 _Yarn _strlen 98456->98465 98457->98465 98458->98368 98458->98454 98458->98455 98458->98465 98459 6c8486e0 4 API calls 98459->98470 98460 6c6cfbb8 98461 6c6cfbe8 ExitWindowsEx Sleep 98460->98461 98461->98378 98462 6c6cf7c0 98462->98460 98463 6c6cb009 98467 6c84a133 std::_Facet_Register 4 API calls 98463->98467 98464 6c6caff0 98466 6c84a133 std::_Facet_Register 4 API calls 98464->98466 98465->98385 98465->98463 98465->98464 98468 6c6cafa0 _Yarn 98465->98468 98466->98468 98467->98468 98541 6c849050 98468->98541 98470->98449 98470->98453 98470->98459 98471 6c6cb059 std::ios_base::_Ios_base_dtor _strlen 98471->98368 98472 6c6cb42c 98471->98472 98473 6c6cb443 98471->98473 98476 6c6cb3da _Yarn _strlen 98471->98476 98474 6c84a133 std::_Facet_Register 4 API calls 98472->98474 98475 6c84a133 std::_Facet_Register 4 API calls 98473->98475 98474->98476 98475->98476 98476->98385 98477 6c6cb79e 98476->98477 98478 6c6cb7b7 98476->98478 98481 6c6cb751 _Yarn 98476->98481 98479 6c84a133 std::_Facet_Register 4 API calls 98477->98479 98480 6c84a133 std::_Facet_Register 4 API calls 98478->98480 98479->98481 98480->98481 98482 6c849050 104 API calls 98481->98482 98483 6c6cb804 std::ios_base::_Ios_base_dtor _strlen 98482->98483 98483->98368 98484 6c6cbc0f 98483->98484 98485 6c6cbc26 98483->98485 98488 6c6cbbbd _Yarn _strlen 98483->98488 98486 6c84a133 std::_Facet_Register 4 API calls 98484->98486 98487 6c84a133 std::_Facet_Register 4 API calls 98485->98487 98486->98488 98487->98488 98488->98385 98489 6c6cc08e 98488->98489 98490 6c6cc075 98488->98490 98493 6c6cc028 _Yarn 98488->98493 98492 6c84a133 std::_Facet_Register 4 API calls 98489->98492 98491 6c84a133 std::_Facet_Register 4 API calls 98490->98491 98491->98493 98492->98493 98494 6c849050 104 API calls 98493->98494 98499 6c6cc0db std::ios_base::_Ios_base_dtor _strlen 98494->98499 98495 6c6cc7bc 98498 6c84a133 std::_Facet_Register 4 API calls 98495->98498 98496 6c6cc7a5 98497 6c84a133 std::_Facet_Register 4 API calls 98496->98497 98506 6c6cc753 _Yarn _strlen 98497->98506 98498->98506 98499->98368 98499->98495 98499->98496 98499->98506 98500 6c6cd3ed 98502 6c84a133 std::_Facet_Register 4 API calls 98500->98502 98501 6c6cd406 98503 6c84a133 std::_Facet_Register 4 API calls 98501->98503 98504 6c6cd39a _Yarn 98502->98504 98503->98504 98505 6c849050 104 API calls 98504->98505 98507 6c6cd458 std::ios_base::_Ios_base_dtor _strlen 98505->98507 98506->98385 98506->98500 98506->98501 98506->98504 98512 6c6ccb2f 98506->98512 98507->98368 98508 6c6cd8bb 98507->98508 98509 6c6cd8a4 98507->98509 98513 6c6cd852 _Yarn _strlen 98507->98513 98511 6c84a133 std::_Facet_Register 4 API calls 98508->98511 98510 6c84a133 std::_Facet_Register 4 API calls 98509->98510 98510->98513 98511->98513 98513->98385 98514 6c6cdccf 98513->98514 98515 6c6cdcb6 98513->98515 98518 6c6cdc69 _Yarn 98513->98518 98517 6c84a133 std::_Facet_Register 4 API calls 98514->98517 98516 6c84a133 std::_Facet_Register 4 API calls 98515->98516 98516->98518 98517->98518 98519 6c849050 104 API calls 98518->98519 98521 6c6cdd1c std::ios_base::_Ios_base_dtor 98519->98521 98520 6c8486e0 4 API calls 98520->98449 98521->98368 98521->98520 98525 6c848846 98522->98525 98523 6c8488be OpenServiceA 98523->98525 98524 6c848922 98524->98416 98525->98523 98525->98524 98527 6c830893 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 98526->98527 98528 6c834e71 CloseHandle 98527->98528 98529 6c6d37cb 98527->98529 98530 6c833bd1 CloseHandle 98527->98530 98531 6c81cea0 WriteFile ReadFile WriteFile WriteFile 98527->98531 98569 6c81c390 98527->98569 98528->98527 98533 6c849450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 98529->98533 98530->98527 98531->98527 98533->98383 98534->98416 98535->98411 98537 6c848770 98536->98537 98538 6c8487b0 WaitForSingleObject CloseHandle CloseHandle 98537->98538 98539 6c8487a4 98537->98539 98538->98537 98539->98420 98540->98434 98542 6c8490a7 98541->98542 98580 6c8496e0 98542->98580 98544 6c8490b8 98545 6c6e6ba0 104 API calls 98544->98545 98552 6c8490dc 98545->98552 98546 6c849157 98632 6c70e010 67 API calls 98546->98632 98548 6c84918f std::ios_base::_Ios_base_dtor 98633 6c70e010 67 API calls 98548->98633 98551 6c849144 98617 6c849280 98551->98617 98552->98546 98552->98551 98599 6c849a30 98552->98599 98607 6c723010 98552->98607 98554 6c8491d2 std::ios_base::_Ios_base_dtor 98554->98471 98556 6c84914c 98557 6c6e7090 77 API calls 98556->98557 98557->98546 98558->98462 98562 6c848966 std::locale::_Setgloballocale 98559->98562 98560 6c848a64 Process32NextW 98560->98562 98561 6c848a14 CloseHandle 98561->98562 98562->98560 98562->98561 98563 6c848a45 Process32FirstW 98562->98563 98564 6c848a96 98562->98564 98563->98562 98564->98391 98565->98408 98566->98428 98568->98390 98570 6c81c3a3 _Yarn __wsopen_s std::locale::_Setgloballocale 98569->98570 98571 6c81ce3c 98570->98571 98572 6c81cab9 CreateFileA 98570->98572 98574 6c81b4d0 98570->98574 98571->98527 98572->98570 98575 6c81b4e3 __wsopen_s std::locale::_Setgloballocale 98574->98575 98576 6c81c206 WriteFile 98575->98576 98577 6c81b619 WriteFile 98575->98577 98578 6c81c377 98575->98578 98579 6c81bc23 ReadFile 98575->98579 98576->98575 98577->98575 98578->98570 98579->98575 98581 6c849715 98580->98581 98582 6c712020 52 API calls 98581->98582 98583 6c8497b6 98582->98583 98584 6c84a133 std::_Facet_Register 4 API calls 98583->98584 98585 6c8497ee 98584->98585 98586 6c84aa17 43 API calls 98585->98586 98587 6c849802 98586->98587 98588 6c711d90 89 API calls 98587->98588 98589 6c8498ab 98588->98589 98590 6c8498dc 98589->98590 98634 6c712250 30 API calls 98589->98634 98590->98544 98592 6c849916 98635 6c7126e0 24 API calls 4 library calls 98592->98635 98594 6c849928 98636 6c84ca69 RaiseException 98594->98636 98596 6c84993d 98637 6c70e010 67 API calls 98596->98637 98598 6c84994f 98598->98544 98600 6c849a7d 98599->98600 98638 6c849c90 98600->98638 98602 6c849b6c 98602->98552 98604 6c849a95 98604->98602 98656 6c712250 30 API calls 98604->98656 98657 6c7126e0 24 API calls 4 library calls 98604->98657 98658 6c84ca69 RaiseException 98604->98658 98608 6c72304f 98607->98608 98611 6c723063 98608->98611 98667 6c713560 32 API calls std::_Xinvalid_argument 98608->98667 98613 6c72311e 98611->98613 98669 6c712250 30 API calls 98611->98669 98670 6c7126e0 24 API calls 4 library calls 98611->98670 98671 6c84ca69 RaiseException 98611->98671 98612 6c723131 98612->98552 98613->98612 98668 6c7137e0 32 API calls std::_Xinvalid_argument 98613->98668 98618 6c84928e 98617->98618 98624 6c8492c1 98617->98624 98620 6c7101f0 64 API calls 98618->98620 98619 6c849373 98619->98556 98621 6c8492b4 98620->98621 98622 6c854208 67 API calls 98621->98622 98622->98624 98624->98619 98672 6c712250 30 API calls 98624->98672 98625 6c84939e 98673 6c712340 24 API calls 98625->98673 98627 6c8493ae 98674 6c84ca69 RaiseException 98627->98674 98629 6c8493b9 98675 6c70e010 67 API calls 98629->98675 98631 6c849412 std::ios_base::_Ios_base_dtor 98631->98556 98632->98548 98633->98554 98634->98592 98635->98594 98636->98596 98637->98598 98639 6c849ccc 98638->98639 98640 6c849cf8 98638->98640 98654 6c849cf1 98639->98654 98661 6c712250 30 API calls 98639->98661 98645 6c849d09 98640->98645 98659 6c713560 32 API calls std::_Xinvalid_argument 98640->98659 98643 6c849ed8 98662 6c712340 24 API calls 98643->98662 98645->98654 98660 6c712f60 42 API calls 4 library calls 98645->98660 98646 6c849ee7 98663 6c84ca69 RaiseException 98646->98663 98650 6c849f17 98665 6c712340 24 API calls 98650->98665 98652 6c849f2d 98666 6c84ca69 RaiseException 98652->98666 98654->98604 98655 6c849d43 98655->98654 98664 6c712250 30 API calls 98655->98664 98656->98604 98657->98604 98658->98604 98659->98645 98660->98655 98661->98643 98662->98646 98663->98655 98664->98650 98665->98652 98666->98654 98667->98611 98668->98612 98669->98611 98670->98611 98671->98611 98672->98625 98673->98627 98674->98629 98675->98631

                              Executed Functions

                              Function 6C6C4754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: _strlen
                              • String ID: HR^
                              • API String ID: 4218353326-1341859651
                              • Opcode ID: 8cd1afadd63a6d249a6fa1884e3f6429b3ee430c3842a8e707b0aeac5dd501b5
                              • Instruction ID: 6dc77284963dfae5de5d55dc23f2808e019d2ea43c175951ffce5828916b7fba
                              • Opcode Fuzzy Hash: 8cd1afadd63a6d249a6fa1884e3f6429b3ee430c3842a8e707b0aeac5dd501b5
                              • Instruction Fuzzy Hash: 7E741571744B028FC728CF28C8D0AD5B7F3EF95318B198A2DC0A68BA55E774B54ACB45
                              Function 6C848930 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4604 6c848930-6c848964 CreateToolhelp32Snapshot 4605 6c848980-6c848989 4604->4605 4606 6c8489d0-6c8489d5 4605->4606 4607 6c84898b-6c848990 4605->4607 4608 6c848a34-6c848a62 call 6c84f010 Process32FirstW 4606->4608 4609 6c8489d7-6c8489dc 4606->4609 4610 6c848992-6c848997 4607->4610 4611 6c848a0d-6c848a12 4607->4611 4621 6c848a76-6c848a86 4608->4621 4612 6c848a64-6c848a71 Process32NextW 4609->4612 4613 6c8489e2-6c8489e7 4609->4613 4617 6c848966-6c848973 4610->4617 4618 6c848999-6c84899e 4610->4618 4614 6c848a14-6c848a2f CloseHandle 4611->4614 4615 6c848a8b-6c848a90 4611->4615 4612->4621 4613->4605 4619 6c8489e9-6c848a08 4613->4619 4614->4605 4615->4605 4622 6c848a96-6c848aa4 4615->4622 4617->4605 4618->4605 4623 6c8489a0-6c8489ca call 6c8562f5 4618->4623 4619->4605 4621->4605 4623->4605
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C84893E
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: CreateSnapshotToolhelp32
                              • String ID:
                              • API String ID: 3332741929-0
                              • Opcode ID: d6452fa124848f6d212d4895f28b8b89f896fd8f3b49c167a4da6b325abd2c07
                              • Instruction ID: d48a60ab9eeda060e8e005aa82eef29162b076c07a7de60944e542b799b32a06
                              • Opcode Fuzzy Hash: d6452fa124848f6d212d4895f28b8b89f896fd8f3b49c167a4da6b325abd2c07
                              • Instruction Fuzzy Hash: B7318F70219309AFD721EF58CA8475ABBE4AF89708F148D2EF488D6360D771E844CB93
                              Function 6C6C3886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4877 6c6c3886-6c6c388e 4878 6c6c3894-6c6c3896 4877->4878 4879 6c6c3970-6c6c397d 4877->4879 4878->4879 4882 6c6c389c-6c6c38b9 4878->4882 4880 6c6c397f-6c6c3989 4879->4880 4881 6c6c39f1-6c6c39f8 4879->4881 4880->4882 4883 6c6c398f-6c6c3994 4880->4883 4884 6c6c39fe-6c6c3a03 4881->4884 4885 6c6c3ab5-6c6c3aba 4881->4885 4886 6c6c38c0-6c6c38c1 4882->4886 4888 6c6c399a-6c6c399f 4883->4888 4889 6c6c3b16-6c6c3b18 4883->4889 4890 6c6c3a09-6c6c3a2f 4884->4890 4891 6c6c38d2-6c6c38d4 4884->4891 4885->4882 4887 6c6c3ac0-6c6c3ac7 4885->4887 4892 6c6c395e 4886->4892 4887->4886 4895 6c6c3acd-6c6c3ad6 4887->4895 4896 6c6c383b-6c6c3855 call 6c812a20 call 6c812a30 4888->4896 4897 6c6c39a5-6c6c39bf 4888->4897 4889->4886 4898 6c6c38f8-6c6c3955 4890->4898 4899 6c6c3a35-6c6c3a3a 4890->4899 4893 6c6c3957-6c6c395c 4891->4893 4894 6c6c3960-6c6c3964 4892->4894 4893->4892 4901 6c6c396a 4894->4901 4902 6c6c3860-6c6c3885 4894->4902 4895->4889 4903 6c6c3ad8-6c6c3aeb 4895->4903 4896->4902 4904 6c6c3a5a-6c6c3a5d 4897->4904 4898->4893 4905 6c6c3b1d-6c6c3b22 4899->4905 4906 6c6c3a40-6c6c3a57 4899->4906 4909 6c6c3ba1-6c6c3bb6 4901->4909 4902->4877 4903->4898 4910 6c6c3af1-6c6c3af8 4903->4910 4907 6c6c3aa9-6c6c3ab0 4904->4907 4912 6c6c3b49-6c6c3b50 4905->4912 4913 6c6c3b24-6c6c3b44 4905->4913 4906->4904 4907->4894 4914 6c6c3bc0-6c6c3bda call 6c812a20 call 6c812a30 4909->4914 4916 6c6c3afa-6c6c3aff 4910->4916 4917 6c6c3b62-6c6c3b85 4910->4917 4912->4886 4920 6c6c3b56-6c6c3b5d 4912->4920 4913->4907 4928 6c6c3be0-6c6c3bfe 4914->4928 4916->4893 4917->4898 4924 6c6c3b8b 4917->4924 4920->4894 4924->4909 4931 6c6c3e7b 4928->4931 4932 6c6c3c04-6c6c3c11 4928->4932 4933 6c6c3e81-6c6c3ee0 call 6c6c3750 GetCurrentThread NtSetInformationThread 4931->4933 4934 6c6c3c17-6c6c3c20 4932->4934 4935 6c6c3ce0-6c6c3cea 4932->4935 4952 6c6c3eea-6c6c3f04 call 6c812a20 call 6c812a30 4933->4952 4939 6c6c3dc5 4934->4939 4940 6c6c3c26-6c6c3c2d 4934->4940 4936 6c6c3cec-6c6c3d0c 4935->4936 4937 6c6c3d3a-6c6c3d3c 4935->4937 4941 6c6c3d90-6c6c3d95 4936->4941 4942 6c6c3d3e-6c6c3d45 4937->4942 4943 6c6c3d70-6c6c3d8d 4937->4943 4944 6c6c3dc6 4939->4944 4946 6c6c3dc3 4940->4946 4947 6c6c3c33-6c6c3c3a 4940->4947 4950 6c6c3dba-6c6c3dc1 4941->4950 4951 6c6c3d97-6c6c3db8 4941->4951 4949 6c6c3d50-6c6c3d57 4942->4949 4943->4941 4948 6c6c3dc8-6c6c3dcc 4944->4948 4946->4939 4953 6c6c3e26-6c6c3e2b 4947->4953 4954 6c6c3c40-6c6c3c5b 4947->4954 4948->4928 4955 6c6c3dd2 4948->4955 4949->4944 4950->4946 4956 6c6c3dd7-6c6c3ddc 4950->4956 4951->4939 4971 6c6c3f75-6c6c3fa1 4952->4971 4958 6c6c3c7b-6c6c3cd0 4953->4958 4959 6c6c3e31 4953->4959 4960 6c6c3e1b-6c6c3e24 4954->4960 4961 6c6c3e76-6c6c3e79 4955->4961 4963 6c6c3dde-6c6c3e17 4956->4963 4964 6c6c3e36-6c6c3e3d 4956->4964 4958->4949 4959->4914 4960->4948 4960->4961 4961->4933 4963->4960 4965 6c6c3e5c-6c6c3e5f 4964->4965 4966 6c6c3e3f-6c6c3e5a 4964->4966 4965->4958 4969 6c6c3e65-6c6c3e69 4965->4969 4966->4960 4969->4948 4969->4961 4975 6c6c4020-6c6c4026 4971->4975 4976 6c6c3fa3-6c6c3fa8 4971->4976 4979 6c6c402c-6c6c403c 4975->4979 4980 6c6c3f06-6c6c3f35 4975->4980 4977 6c6c407c-6c6c4081 4976->4977 4978 6c6c3fae-6c6c3fcf 4976->4978 4981 6c6c40aa-6c6c40ae 4977->4981 4985 6c6c4083-6c6c408a 4977->4985 4978->4981 4983 6c6c403e-6c6c4058 4979->4983 4984 6c6c40b3-6c6c40b8 4979->4984 4982 6c6c3f38-6c6c3f61 4980->4982 4987 6c6c3f6b-6c6c3f6f 4981->4987 4988 6c6c3f64-6c6c3f67 4982->4988 4989 6c6c405a-6c6c4063 4983->4989 4984->4978 4986 6c6c40be-6c6c40c9 4984->4986 4985->4982 4990 6c6c4090 4985->4990 4986->4981 4992 6c6c40cb-6c6c40d4 4986->4992 4987->4971 4993 6c6c3f69 4988->4993 4994 6c6c4069-6c6c406c 4989->4994 4995 6c6c40f5-6c6c413f 4989->4995 4990->4952 4991 6c6c40a7 4990->4991 4991->4981 4992->4991 4996 6c6c40d6-6c6c40f0 4992->4996 4993->4987 4998 6c6c4144-6c6c414b 4994->4998 4999 6c6c4072-6c6c4077 4994->4999 4995->4993 4996->4989 4998->4987 4999->4988
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cc5392f1b6d843ec7269d1f980def710a920d757cc8a91f14da2b24a1d554195
                              • Instruction ID: 7e62d3a8065faa0a5424f65b51ab08feac11d1552403662c75d417ef89862d6b
                              • Opcode Fuzzy Hash: cc5392f1b6d843ec7269d1f980def710a920d757cc8a91f14da2b24a1d554195
                              • Instruction Fuzzy Hash: FA32F132345B018FC324CF28C8C06E6B7E3EF9531476A8A6DC0EA4BA95D775B44ACB55
                              Function 6C6C3A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: 7e2b4f6cfa004207eac85d29bad112b5b39c794a23d924b7ba176934bac9ce80
                              • Instruction ID: e0ffc8da82635b57ca3ee83e5a58317ff336c296bce711538db3e56316a3c6ac
                              • Opcode Fuzzy Hash: 7e2b4f6cfa004207eac85d29bad112b5b39c794a23d924b7ba176934bac9ce80
                              • Instruction Fuzzy Hash: ED51D1312587018FC320CF28C8847D5B7E3FF96314F698A6DC0E65BA95DB75B44A8B86
                              Function 6C6C39CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: 18b296b893ba65db2ffc43ac094d351878108320e9621d41672d3d0661ac41b8
                              • Instruction ID: c76965b9fce73cee2a559157b0f7ed369ac9e259c86da2a32bbe0b8bbe6f72e3
                              • Opcode Fuzzy Hash: 18b296b893ba65db2ffc43ac094d351878108320e9621d41672d3d0661ac41b8
                              • Instruction Fuzzy Hash: 5551B031258B018FC320CF28C4807E5B7E3FF96314F658A6DC0E65BA95DB71B44A8B96
                              Function 6C6C3D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C6C3E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C6C3EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: 0c3e9d482fa9182bf051b41b4f03bb3f27e706a5998015a3f65419e54d2bf02f
                              • Instruction ID: 128ed147d2aed5d4d10846b72d4af9988423aad53036513d2228557e41ed8965
                              • Opcode Fuzzy Hash: 0c3e9d482fa9182bf051b41b4f03bb3f27e706a5998015a3f65419e54d2bf02f
                              • Instruction Fuzzy Hash: 4831E431259B018FC320CF28C8947E6B7B3EF96318F194E2DC0A65BA81DBB47009DB56
                              Function 6C6C3D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C6C3E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C6C3EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: 4c8cebef0f7b8d3c43b4e54253c4a38655b7b87b364d591efb34d4241840dda5
                              • Instruction ID: f690d64adb63307033ea37b1e6a8c73617010b80c34f1f8a81af7128bb28e513
                              • Opcode Fuzzy Hash: 4c8cebef0f7b8d3c43b4e54253c4a38655b7b87b364d591efb34d4241840dda5
                              • Instruction Fuzzy Hash: 1931AD312587018BC724CF28C4947E6B7F2EF96308F654E6DC0EA5BA81DBB17449CB96
                              Function 6C6C3C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C6C3E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C6C3EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: 8bfed490ad9e7471179f42029e7426dfb3626e41312233b10145f4f5190e7d6c
                              • Instruction ID: 19b1bf878c1723263513947a94ab8827a2bb2dc9e6306d6b25c6f6d051d8022d
                              • Opcode Fuzzy Hash: 8bfed490ad9e7471179f42029e7426dfb3626e41312233b10145f4f5190e7d6c
                              • Instruction Fuzzy Hash: 1321D1703587018BD324CF24C8947E677B2EF56308F254E2DD0A68BA80DBB4B4098B57
                              Function 6C848810 Relevance: 3.1, APIs: 2, Instructions: 72serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C848820
                              • OpenServiceA.ADVAPI32(?,?,00000004), ref: 6C8488C5
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Open$ManagerService
                              • String ID:
                              • API String ID: 2351955762-0
                              • Opcode ID: 6fa2717edb4716b26fe09940b6189f6420bdd0b7e6857a66916b331da8640e32
                              • Instruction ID: 424a623c55aff367e303c0b81fdb470378c063dbaa6a2620ff3995aaee28a9e2
                              • Opcode Fuzzy Hash: 6fa2717edb4716b26fe09940b6189f6420bdd0b7e6857a66916b331da8640e32
                              • Instruction Fuzzy Hash: C1311674608316AFC710EF29C949A0EBBF1AB89354F54CC5AF488D7361D371C8488BA3
                              Function 6C83E090 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileA.KERNEL32(?,?), ref: 6C83E0AC
                              • FindClose.KERNEL32(000000FF), ref: 6C83E0E2
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Find$CloseFileFirst
                              • String ID:
                              • API String ID: 2295610775-0
                              • Opcode ID: f3724a36a94ec290bad4afc9859f33854f5db3331ca8d0c13eca22a487372735
                              • Instruction ID: 0a683aeda5a9b3e89ba8393ecf3a9d19609c3b3ff1fcbd15f473cca1b5168073
                              • Opcode Fuzzy Hash: f3724a36a94ec290bad4afc9859f33854f5db3331ca8d0c13eca22a487372735
                              • Instruction Fuzzy Hash: 7B11287450C6619FC7208F68CA54A4ABBE4AB86315F149D5AE4A8C6690D738DC888BC2
                              Function 6C8601C3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3722 6c8601c3-6c8601d3 3723 6c8601d5-6c8601e8 call 6c8530cf call 6c8530bc 3722->3723 3724 6c8601ed-6c8601ef 3722->3724 3738 6c86056c 3723->3738 3725 6c860554-6c860561 call 6c8530cf call 6c8530bc 3724->3725 3726 6c8601f5-6c8601fb 3724->3726 3744 6c860567 call 6c853810 3725->3744 3726->3725 3729 6c860201-6c860227 3726->3729 3729->3725 3733 6c86022d-6c860236 3729->3733 3736 6c860250-6c860252 3733->3736 3737 6c860238-6c86024b call 6c8530cf call 6c8530bc 3733->3737 3741 6c860550-6c860552 3736->3741 3742 6c860258-6c86025b 3736->3742 3737->3744 3743 6c86056f-6c860572 3738->3743 3741->3743 3742->3741 3746 6c860261-6c860265 3742->3746 3744->3738 3746->3737 3749 6c860267-6c86027e 3746->3749 3751 6c860280-6c860283 3749->3751 3752 6c8602cf-6c8602d5 3749->3752 3753 6c860285-6c86028e 3751->3753 3754 6c860293-6c860299 3751->3754 3755 6c8602d7-6c8602e1 3752->3755 3756 6c86029b-6c8602b2 call 6c8530cf call 6c8530bc call 6c853810 3752->3756 3757 6c860353-6c860363 3753->3757 3754->3756 3758 6c8602b7-6c8602ca 3754->3758 3760 6c8602e3-6c8602e5 3755->3760 3761 6c8602e8-6c860306 call 6c857ee5 call 6c857eab * 2 3755->3761 3788 6c860487 3756->3788 3763 6c860428-6c860431 call 6c8650d5 3757->3763 3764 6c860369-6c860375 3757->3764 3758->3757 3760->3761 3792 6c860323-6c86034c call 6c85e359 3761->3792 3793 6c860308-6c86031e call 6c8530bc call 6c8530cf 3761->3793 3777 6c8604a4 3763->3777 3778 6c860433-6c860445 3763->3778 3764->3763 3768 6c86037b-6c86037d 3764->3768 3768->3763 3773 6c860383-6c8603a7 3768->3773 3773->3763 3774 6c8603a9-6c8603bf 3773->3774 3774->3763 3779 6c8603c1-6c8603c3 3774->3779 3781 6c8604a8-6c8604c0 ReadFile 3777->3781 3778->3777 3783 6c860447-6c860456 GetConsoleMode 3778->3783 3779->3763 3784 6c8603c5-6c8603eb 3779->3784 3786 6c8604c2-6c8604c8 3781->3786 3787 6c86051c-6c860527 GetLastError 3781->3787 3783->3777 3789 6c860458-6c86045c 3783->3789 3784->3763 3791 6c8603ed-6c860403 3784->3791 3786->3787 3796 6c8604ca 3786->3796 3794 6c860540-6c860543 3787->3794 3795 6c860529-6c86053b call 6c8530bc call 6c8530cf 3787->3795 3790 6c86048a-6c860494 call 6c857eab 3788->3790 3789->3781 3797 6c86045e-6c860478 ReadConsoleW 3789->3797 3790->3743 3791->3763 3799 6c860405-6c860407 3791->3799 3792->3757 3793->3788 3806 6c860480-6c860486 call 6c8530e2 3794->3806 3807 6c860549-6c86054b 3794->3807 3795->3788 3803 6c8604cd-6c8604df 3796->3803 3804 6c86047a GetLastError 3797->3804 3805 6c860499-6c8604a2 3797->3805 3799->3763 3809 6c860409-6c860423 3799->3809 3803->3790 3813 6c8604e1-6c8604e5 3803->3813 3804->3806 3805->3803 3806->3788 3807->3790 3809->3763 3818 6c8604e7-6c8604f7 call 6c8605ee 3813->3818 3819 6c8604fe-6c860509 3813->3819 3830 6c8604fa-6c8604fc 3818->3830 3820 6c860515-6c86051a call 6c8608a6 3819->3820 3821 6c86050b call 6c860573 3819->3821 3828 6c860510-6c860513 3820->3828 3821->3828 3828->3830 3830->3790
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: 9b6478816445b9666c25803075933ee9e60c11db2fdb477f7b861303d00662ac
                              • Instruction ID: 1de0fb11a408488257eb4a5515b85a8a72ce735cdcb73a830549d968918c253e
                              • Opcode Fuzzy Hash: 9b6478816445b9666c25803075933ee9e60c11db2fdb477f7b861303d00662ac
                              • Instruction Fuzzy Hash: 4AC11970E042899FDF21CF9ECA90BAEBBB0AF4A318F104959D414ABF41C7718945CB6D
                              Function 6C86775C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3831 6c86775c-6c86778c call 6c867bdc 3834 6c8677a7-6c8677b3 call 6c864cfc 3831->3834 3835 6c86778e-6c867799 call 6c8530cf 3831->3835 3840 6c8677b5-6c8677ca call 6c8530cf call 6c8530bc 3834->3840 3841 6c8677cc-6c867815 call 6c867b47 3834->3841 3842 6c86779b-6c8677a2 call 6c8530bc 3835->3842 3840->3842 3850 6c867817-6c867820 3841->3850 3851 6c867882-6c86788b GetFileType 3841->3851 3852 6c867a81-6c867a85 3842->3852 3856 6c867857-6c86787d GetLastError call 6c8530e2 3850->3856 3857 6c867822-6c867826 3850->3857 3853 6c8678d4-6c8678d7 3851->3853 3854 6c86788d-6c8678be GetLastError call 6c8530e2 CloseHandle 3851->3854 3859 6c8678e0-6c8678e6 3853->3859 3860 6c8678d9-6c8678de 3853->3860 3854->3842 3868 6c8678c4-6c8678cf call 6c8530bc 3854->3868 3856->3842 3857->3856 3861 6c867828-6c867855 call 6c867b47 3857->3861 3864 6c8678ea-6c867938 call 6c864ea0 3859->3864 3866 6c8678e8 3859->3866 3860->3864 3861->3851 3861->3856 3874 6c867957-6c86797f call 6c867e00 3864->3874 3875 6c86793a-6c867946 call 6c867d56 3864->3875 3866->3864 3868->3842 3881 6c867984-6c8679c5 3874->3881 3882 6c867981-6c867982 3874->3882 3875->3874 3880 6c867948 3875->3880 3883 6c86794a-6c867952 call 6c85f015 3880->3883 3884 6c8679e6-6c8679f4 3881->3884 3885 6c8679c7-6c8679cb 3881->3885 3882->3883 3883->3852 3888 6c867a7f 3884->3888 3889 6c8679fa-6c8679fe 3884->3889 3885->3884 3887 6c8679cd-6c8679e1 3885->3887 3887->3884 3888->3852 3889->3888 3891 6c867a00-6c867a33 CloseHandle call 6c867b47 3889->3891 3894 6c867a67-6c867a7b 3891->3894 3895 6c867a35-6c867a61 GetLastError call 6c8530e2 call 6c864e0f 3891->3895 3894->3888 3895->3894
                              APIs
                                • Part of subcall function 6C867B47: CreateFileW.KERNEL32(00000000,00000000,?,6C867805,?,?,00000000,?,6C867805,00000000,0000000C), ref: 6C867B64
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C867870
                              • __dosmaperr.LIBCMT ref: 6C867877
                              • GetFileType.KERNEL32(00000000), ref: 6C867883
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C86788D
                              • __dosmaperr.LIBCMT ref: 6C867896
                              • CloseHandle.KERNEL32(00000000), ref: 6C8678B6
                              • CloseHandle.KERNEL32(6C85E7C0), ref: 6C867A03
                              • GetLastError.KERNEL32 ref: 6C867A35
                              • __dosmaperr.LIBCMT ref: 6C867A3C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                              • String ID: 8Q
                              • API String ID: 4237864984-4022487301
                              • Opcode ID: be924e86d55066bf00678172550df27c85f1dc9deca3c4cd96099581bfbab17b
                              • Instruction ID: 88b95b4ecb8a3eb599611c5dd794ab2e7d6f30d1577d972d236f94a88ba1c94e
                              • Opcode Fuzzy Hash: be924e86d55066bf00678172550df27c85f1dc9deca3c4cd96099581bfbab17b
                              • Instruction Fuzzy Hash: 98A14632A041548FCF29DF6CC950BAD7BB1AB07328F24456DE811EFB90D7359916CB91
                              Function 6C81B4D0 Relevance: 16.6, APIs: 3, Strings: 6, Instructions: 834fileCOMMON
                              Download Yara Rule
                              APIs
                              • WriteFile.KERNEL32(?,?,00000038,?,00000000), ref: 6C81B62F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: FileWrite
                              • String ID: *$,=ym$-=ym$-=ym$B$H
                              • API String ID: 3934441357-3163594065
                              • Opcode ID: 9c4eaab1482b8a5cc144bc93df1447af058c584c131ff7e6af4b583389aac44c
                              • Instruction ID: b1b74c3ae9353044fc49b066bda169066376516990d66c6dccf9105abbb2c593
                              • Opcode Fuzzy Hash: 9c4eaab1482b8a5cc144bc93df1447af058c584c131ff7e6af4b583389aac44c
                              • Instruction Fuzzy Hash: CB727CB460D3869FC724CF28C5906AEB7E1AF89304F148E2EE499CBB51E774D8458B53
                              Function 6C6C4200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: ;T55
                              • API String ID: 0-2572755013
                              • Opcode ID: 6fce96f763c2965bfdcb3ee44e9dea1fe4c03f40999bd51af73f679e1815cf9c
                              • Instruction ID: 3256df7661ac65334994e50642d230304652fda9e5e0821c83ddd877e00f50c0
                              • Opcode Fuzzy Hash: 6fce96f763c2965bfdcb3ee44e9dea1fe4c03f40999bd51af73f679e1815cf9c
                              • Instruction Fuzzy Hash: 5003E431645B018FC728CF28C8D06A5B7E3EFD532871E8B6DC0A64BA95DB74B44ACB45
                              Function 6C8486E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processsynchronizationCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4469 6c8486e0-6c848767 CreateProcessA 4470 6c84878b-6c848794 4469->4470 4471 6c848796-6c84879b 4470->4471 4472 6c8487b0-6c8487fa WaitForSingleObject CloseHandle * 2 4470->4472 4473 6c848770-6c848783 4471->4473 4474 6c84879d-6c8487a2 4471->4474 4472->4470 4473->4470 4474->4470 4475 6c8487a4-6c848807 4474->4475
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: CloseHandle$CreateObjectProcessSingleWait
                              • String ID: D
                              • API String ID: 2059082233-2746444292
                              • Opcode ID: e388253d9b48cac90423866b5b54c480767adc5343de81f07c1f58e4e7f2298e
                              • Instruction ID: 0d5392bb78ef1fc741d9c59b2292b10e070d5fa52f1464b071a1cc7ab124afce
                              • Opcode Fuzzy Hash: e388253d9b48cac90423866b5b54c480767adc5343de81f07c1f58e4e7f2298e
                              • Instruction Fuzzy Hash: 4231F27180D3848FD750EF28C29471ABBF0AB9A318F509A1EF8D986360D7749584CF83
                              Function 6C85F34E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4477 6c85f34e-6c85f36a 4478 6c85f370-6c85f372 4477->4478 4479 6c85f529 4477->4479 4480 6c85f394-6c85f3b5 4478->4480 4481 6c85f374-6c85f387 call 6c8530cf call 6c8530bc call 6c853810 4478->4481 4482 6c85f52b-6c85f52f 4479->4482 4484 6c85f3b7-6c85f3ba 4480->4484 4485 6c85f3bc-6c85f3c2 4480->4485 4499 6c85f38c-6c85f38f 4481->4499 4484->4485 4487 6c85f3c4-6c85f3c9 4484->4487 4485->4481 4485->4487 4489 6c85f3cb-6c85f3d7 call 6c85e359 4487->4489 4490 6c85f3da-6c85f3eb call 6c85f530 4487->4490 4489->4490 4497 6c85f3ed-6c85f3ef 4490->4497 4498 6c85f42c-6c85f43e 4490->4498 4500 6c85f416-6c85f422 call 6c85f5a1 4497->4500 4501 6c85f3f1-6c85f3f9 4497->4501 4502 6c85f485-6c85f4a7 WriteFile 4498->4502 4503 6c85f440-6c85f449 4498->4503 4499->4482 4514 6c85f427-6c85f42a 4500->4514 4504 6c85f3ff-6c85f40c call 6c85f94b 4501->4504 4505 6c85f4bb-6c85f4be 4501->4505 4507 6c85f4b2 4502->4507 4508 6c85f4a9-6c85f4af GetLastError 4502->4508 4509 6c85f475-6c85f483 call 6c85f9b3 4503->4509 4510 6c85f44b-6c85f44e 4503->4510 4521 6c85f40f-6c85f411 4504->4521 4515 6c85f4c1-6c85f4c6 4505->4515 4513 6c85f4b5-6c85f4ba 4507->4513 4508->4507 4509->4514 4516 6c85f465-6c85f473 call 6c85fb77 4510->4516 4517 6c85f450-6c85f453 4510->4517 4513->4505 4514->4521 4523 6c85f524-6c85f527 4515->4523 4524 6c85f4c8-6c85f4cd 4515->4524 4516->4514 4517->4515 4522 6c85f455-6c85f463 call 6c85fa8e 4517->4522 4521->4513 4522->4514 4523->4482 4526 6c85f4cf-6c85f4d4 4524->4526 4527 6c85f4f9-6c85f505 4524->4527 4532 6c85f4d6-6c85f4e8 call 6c8530bc call 6c8530cf 4526->4532 4533 6c85f4ed-6c85f4f4 call 6c8530e2 4526->4533 4529 6c85f507-6c85f50a 4527->4529 4530 6c85f50c-6c85f51f call 6c8530bc call 6c8530cf 4527->4530 4529->4479 4529->4530 4530->4499 4532->4499 4533->4499
                              APIs
                                • Part of subcall function 6C85F5A1: GetConsoleCP.KERNEL32(?,6C85E7C0,?), ref: 6C85F5E9
                              • WriteFile.KERNEL32(?,?,6C867DDC,00000000,00000000,?,00000000,00000000,6C8691A6,00000000,00000000,?,00000000,6C85E7C0,6C867DDC,00000000), ref: 6C85F49F
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C867DDC,6C85E7C0,00000000,?,?,?,?,00000000,?), ref: 6C85F4A9
                              • __dosmaperr.LIBCMT ref: 6C85F4EE
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ConsoleErrorFileLastWrite__dosmaperr
                              • String ID: 8Q
                              • API String ID: 251514795-4022487301
                              • Opcode ID: f2d1e69ab8f7f4e23a55338e10cd86e5cf08864769b8ebd4028816e5dc80a7b8
                              • Instruction ID: 865d3f5080964417f32f3c63c87682818e9e9344845ed0fee8cfe16342045185
                              • Opcode Fuzzy Hash: f2d1e69ab8f7f4e23a55338e10cd86e5cf08864769b8ebd4028816e5dc80a7b8
                              • Instruction Fuzzy Hash: B0510871A0020EABEF61DFA8CA40BDFBB79EF19358F940D21D400A7A51D7B0D955CB61
                              Function 6C849280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4544 6c849280-6c84928c 4545 6c8492cd 4544->4545 4546 6c84928e-6c849299 4544->4546 4547 6c8492cf-6c849347 4545->4547 4548 6c8492af-6c8492bc call 6c7101f0 call 6c854208 4546->4548 4549 6c84929b-6c8492ad 4546->4549 4550 6c849373-6c849379 4547->4550 4551 6c849349-6c849371 4547->4551 4557 6c8492c1-6c8492cb 4548->4557 4549->4548 4551->4550 4554 6c84937a-6c849439 call 6c712250 call 6c712340 call 6c84ca69 call 6c70e010 call 6c84a778 4551->4554 4557->4547
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C849421
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 323602529-1866435925
                              • Opcode ID: 0718af1ee4c621f1fcab224181f70525f80ecd01290936ca6044a56b0f082d4d
                              • Instruction ID: f4257cf8949776ea56eae937afcd2ad4e30c1c377931d586ae8979ae0e450c31
                              • Opcode Fuzzy Hash: 0718af1ee4c621f1fcab224181f70525f80ecd01290936ca6044a56b0f082d4d
                              • Instruction Fuzzy Hash: 355142B5500B008FD735CF29C685B9ABBF1BB49318F408A2DD8864BB91E775A909CB90
                              Function 6C81CEA0 Relevance: 6.2, APIs: 4, Instructions: 187fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4567 6c81cea0-6c81cf03 call 6c84a260 4570 6c81cf40-6c81cf49 4567->4570 4571 6c81cf90-6c81cf95 4570->4571 4572 6c81cf4b-6c81cf50 4570->4572 4575 6c81d030-6c81d035 4571->4575 4576 6c81cf9b-6c81cfa0 4571->4576 4573 6c81d000-6c81d005 4572->4573 4574 6c81cf56-6c81cf5b 4572->4574 4577 6c81d125-6c81d158 call 6c84ea90 4573->4577 4578 6c81d00b-6c81d010 4573->4578 4581 6c81cf61-6c81cf66 4574->4581 4582 6c81d065-6c81d08c 4574->4582 4579 6c81d03b-6c81d040 4575->4579 4580 6c81d17d-6c81d191 4575->4580 4583 6c81cf05-6c81cf21 WriteFile 4576->4583 4584 6c81cfa6-6c81cfab 4576->4584 4577->4570 4587 6c81d016-6c81d01b 4578->4587 4588 6c81d15d-6c81d175 4578->4588 4589 6c81d1a7-6c81d1ac 4579->4589 4590 6c81d046-6c81d060 4579->4590 4585 6c81d195-6c81d1a2 4580->4585 4591 6c81d091-6c81d0aa WriteFile 4581->4591 4592 6c81cf6c-6c81cf71 4581->4592 4593 6c81cf33-6c81cf38 4582->4593 4586 6c81cf30 4583->4586 4595 6c81cfb1-6c81cfb6 4584->4595 4596 6c81d0af-6c81d120 WriteFile 4584->4596 4585->4570 4586->4593 4587->4570 4599 6c81d021-6c81d02b 4587->4599 4588->4580 4589->4570 4598 6c81d1b2-6c81d1c0 4589->4598 4590->4585 4591->4586 4592->4570 4600 6c81cf73-6c81cf86 4592->4600 4593->4570 4595->4570 4597 6c81cfb8-6c81cfee call 6c84f010 ReadFile 4595->4597 4596->4586 4597->4586 4599->4586 4600->4593
                              APIs
                              • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C81CFE1
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID:
                              • API String ID: 2738559852-0
                              • Opcode ID: 8e7e00bb8746a057f2b20dcfe06e03f389593e6a5f62c654344dfd29e80e0da8
                              • Instruction ID: a4c444e4918dde9947b3bc39b3ae9337adb3b9063ba757b719247f3aee1ca3e3
                              • Opcode Fuzzy Hash: 8e7e00bb8746a057f2b20dcfe06e03f389593e6a5f62c654344dfd29e80e0da8
                              • Instruction Fuzzy Hash: FA714EB0209345AFD720DF19C984B5ABBE4BF89708F504D2EF495D7A50D3B5D984CB82
                              Function 6C81C390 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 631COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4626 6c81c390-6c81c406 call 6c84a260 call 6c84f010 4631 6c81c426-6c81c42f 4626->4631 4632 6c81c431-6c81c436 4631->4632 4633 6c81c490-6c81c495 4631->4633 4634 6c81c500-6c81c505 4632->4634 4635 6c81c43c-6c81c441 4632->4635 4636 6c81c570-6c81c575 4633->4636 4637 6c81c49b-6c81c4a0 4633->4637 4640 6c81c679-6c81c67e 4634->4640 4641 6c81c50b-6c81c510 4634->4641 4638 6c81c447-6c81c44c 4635->4638 4639 6c81c5bf-6c81c5c4 4635->4639 4642 6c81c6d6-6c81c6db 4636->4642 4643 6c81c57b-6c81c580 4636->4643 4644 6c81c4a6-6c81c4ab 4637->4644 4645 6c81c638-6c81c63d 4637->4645 4650 6c81c742-6c81c747 4638->4650 4651 6c81c452-6c81c457 4638->4651 4648 6c81c863-6c81c868 4639->4648 4649 6c81c5ca-6c81c5cf 4639->4649 4656 6c81c8e2-6c81c8e7 4640->4656 4657 6c81c684-6c81c689 4640->4657 4652 6c81c516-6c81c51b 4641->4652 4653 6c81c7de-6c81c7e3 4641->4653 4646 6c81c6e1-6c81c6e6 4642->4646 4647 6c81c912-6c81c917 4642->4647 4658 6c81c830-6c81c835 4643->4658 4659 6c81c586-6c81c58b 4643->4659 4660 6c81c4b1-6c81c4b6 4644->4660 4661 6c81c796-6c81c79b 4644->4661 4654 6c81c643-6c81c648 4645->4654 4655 6c81c8ab-6c81c8b0 4645->4655 4664 6c81cc12-6c81cc4d call 6c84f010 call 6c81b4d0 4646->4664 4665 6c81c6ec-6c81c6f1 4646->4665 4662 6c81ce1a-6c81ce29 4647->4662 4663 6c81c91d-6c81c922 4647->4663 4680 6c81cdb7-6c81cdbf 4648->4680 4681 6c81c86e-6c81c873 4648->4681 4678 6c81ca71-6c81ca9b call 6c84ea90 4649->4678 4679 6c81c5d5-6c81c5da 4649->4679 4666 6c81cca3-6c81ccba 4650->4666 4667 6c81c74d-6c81c752 4650->4667 4682 6c81c93d-6c81c95b 4651->4682 4683 6c81c45d-6c81c462 4651->4683 4668 6c81c521-6c81c526 4652->4668 4669 6c81c9a3-6c81c9b3 4652->4669 4672 6c81c7e9-6c81c7ee 4653->4672 4673 6c81ccfa-6c81cd23 4653->4673 4684 6c81cb08-6c81cb34 4654->4684 4685 6c81c64e-6c81c653 4654->4685 4686 6c81c8b6-6c81c8bb 4655->4686 4687 6c81cdda-6c81cdf1 4655->4687 4688 6c81cdf9-6c81ce12 4656->4688 4689 6c81c8ed-6c81c8f2 4656->4689 4690 6c81cb61-6c81cb85 4657->4690 4691 6c81c68f-6c81c694 4657->4691 4676 6c81c83b-6c81c840 4658->4676 4677 6c81cd6c-6c81cd88 4658->4677 4674 6c81c591-6c81c596 4659->4674 4675 6c81c9fe-6c81ca3a 4659->4675 4692 6c81c97a-6c81c984 4660->4692 4693 6c81c4bc-6c81c4c1 4660->4693 4670 6c81c7a1-6c81c7a6 4661->4670 4671 6c81c408-6c81c418 4661->4671 4707 6c81ce31-6c81ce36 4662->4707 4663->4631 4715 6c81c928-6c81c938 4663->4715 4752 6c81cc52-6c81cc72 4664->4752 4694 6c81cc77-6c81cc88 4665->4694 4695 6c81c6f7-6c81c6fc 4665->4695 4726 6c81ccbc-6c81ccc4 4666->4726 4697 6c81ccc9-6c81ccd8 4667->4697 4698 6c81c758-6c81c75d 4667->4698 4716 6c81c9bd-6c81c9c5 4668->4716 4717 6c81c52c-6c81c531 4668->4717 4669->4716 4700 6c81cce0-6c81ccf5 4670->4700 4701 6c81c7ac-6c81c7b1 4670->4701 4704 6c81c41d 4671->4704 4702 6c81c7f4-6c81c7f9 4672->4702 4703 6c81cd28-6c81cd67 4672->4703 4673->4631 4719 6c81ca43-6c81ca6c 4674->4719 4720 6c81c59c-6c81c5a1 4674->4720 4675->4719 4705 6c81c846-6c81c84b 4676->4705 4706 6c81cd9d-6c81cdad 4676->4706 4696 6c81cd8a-6c81cd98 4677->4696 4678->4631 4721 6c81caa0-6c81cb03 call 6c81ce50 CreateFileA 4679->4721 4722 6c81c5e0-6c81c5e5 4679->4722 4699 6c81cdc4-6c81cdd5 4680->4699 4681->4707 4708 6c81c879-6c81c8a6 4681->4708 4682->4696 4709 6c81c960-6c81c975 4683->4709 4710 6c81c468-6c81c46d 4683->4710 4684->4631 4724 6c81cb39-6c81cb5c 4685->4724 4725 6c81c659-6c81c65e 4685->4725 4686->4631 4711 6c81c8c1-6c81c8dd 4686->4711 4687->4688 4688->4662 4689->4631 4712 6c81c8f8-6c81c90d 4689->4712 4690->4631 4727 6c81cb8a-6c81cc0d 4691->4727 4728 6c81c69a-6c81c69f 4691->4728 4692->4631 4713 6c81c4c7-6c81c4cc 4693->4713 4714 6c81c989-6c81c99e 4693->4714 4738 6c81cc8d-6c81cc9e 4694->4738 4695->4631 4730 6c81c702-6c81c73d 4695->4730 4696->4631 4697->4700 4698->4631 4731 6c81c763-6c81c791 4698->4731 4699->4631 4700->4704 4701->4631 4732 6c81c7b7-6c81c7d9 4701->4732 4702->4631 4733 6c81c7ff-6c81c82b 4702->4733 4703->4631 4734 6c81c420-6c81c424 4704->4734 4705->4631 4736 6c81c851-6c81c85e 4705->4736 4706->4680 4707->4631 4735 6c81ce3c-6c81ce47 4707->4735 4708->4631 4709->4631 4710->4631 4737 6c81c46f-6c81c483 4710->4737 4711->4738 4712->4631 4713->4631 4739 6c81c4d2-6c81c4fa call 6c812a20 call 6c812a30 4713->4739 4714->4734 4715->4699 4740 6c81c9ca-6c81c9f9 4716->4740 4717->4631 4741 6c81c537-6c81c561 4717->4741 4719->4631 4720->4631 4743 6c81c5a7-6c81c5ba 4720->4743 4721->4631 4722->4631 4745 6c81c5eb-6c81c633 4722->4745 4724->4631 4725->4631 4747 6c81c664-6c81c674 4725->4747 4726->4631 4727->4631 4728->4631 4729 6c81c6a5-6c81c6d1 4728->4729 4729->4631 4730->4631 4731->4726 4732->4696 4733->4631 4734->4631 4736->4740 4737->4699 4738->4631 4739->4631 4740->4631 4741->4631 4743->4631 4745->4631 4747->4740 4752->4631
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @*Z$@*Z
                              • API String ID: 0-2842812045
                              • Opcode ID: a4959adb47afa5cf1a8e022737909023c0520adf36e86f5796df54898cd4cf50
                              • Instruction ID: b62c61fd4163d5673c775c7c5dc5cfe79ec20a8053a6fd6145fc2e805a44becc
                              • Opcode Fuzzy Hash: a4959adb47afa5cf1a8e022737909023c0520adf36e86f5796df54898cd4cf50
                              • Instruction Fuzzy Hash: 3842687060D3468FCB24DF19D68166ABBE1AB89318F244D2EF49AC7B62D335D945CB03
                              Function 6C85F015 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4755 6c85f015-6c85f029 call 6c864c92 4758 6c85f02f-6c85f037 4755->4758 4759 6c85f02b-6c85f02d 4755->4759 4761 6c85f042-6c85f045 4758->4761 4762 6c85f039-6c85f040 4758->4762 4760 6c85f07d-6c85f09d call 6c864e0f 4759->4760 4770 6c85f09f-6c85f0a9 call 6c8530e2 4760->4770 4771 6c85f0ab 4760->4771 4764 6c85f047-6c85f04b 4761->4764 4765 6c85f063-6c85f073 call 6c864c92 CloseHandle 4761->4765 4762->4761 4763 6c85f04d-6c85f061 call 6c864c92 * 2 4762->4763 4763->4759 4763->4765 4764->4763 4764->4765 4765->4759 4777 6c85f075-6c85f07b GetLastError 4765->4777 4775 6c85f0ad-6c85f0b0 4770->4775 4771->4775 4777->4760
                              APIs
                              • CloseHandle.KERNEL32(00000000,?,00000000,?,6C86794F), ref: 6C85F06B
                              • GetLastError.KERNEL32(?,00000000,?,6C86794F), ref: 6C85F075
                              • __dosmaperr.LIBCMT ref: 6C85F0A0
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: CloseErrorHandleLast__dosmaperr
                              • String ID:
                              • API String ID: 2583163307-0
                              • Opcode ID: 569548cc9b42b5a516e33c63c8f4d904405b08d263e526a56e486ee581e516a4
                              • Instruction ID: b113f06a94497e095b1f03e1d2d7eaef80c52a0eda71653453c8e43651b7016d
                              • Opcode Fuzzy Hash: 569548cc9b42b5a516e33c63c8f4d904405b08d263e526a56e486ee581e516a4
                              • Instruction Fuzzy Hash: E701AF3370522016C271623D87547AE33594BD373CFAE4E29E41487FC0DFB084548190
                              Function 6C85428C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 5000 6c85428c-6c854297 5001 6c8542ae-6c8542bb 5000->5001 5002 6c854299-6c8542ac call 6c8530bc call 6c853810 5000->5002 5004 6c8542f6-6c8542ff call 6c85e565 5001->5004 5005 6c8542bd-6c8542d2 call 6c8543a9 call 6c85be2e call 6c85d350 call 6c85ef88 5001->5005 5014 6c854300-6c854302 5002->5014 5004->5014 5019 6c8542d7-6c8542dc 5005->5019 5020 6c8542e3-6c8542e7 5019->5020 5021 6c8542de-6c8542e1 5019->5021 5020->5004 5022 6c8542e9-6c8542f5 call 6c857eab 5020->5022 5021->5004 5022->5004
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction ID: d8fe80390eea067051e9205805a2d2cd06e52553e64c6a7b0054bccad9706e63
                              • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction Fuzzy Hash: 4BF0D63250162466D7715A6D9E00BDB3298CFC2378FD44F29E92493ED0DBF4D43A86E1
                              Function 6C849050 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C8491A4
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C8491E4
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID:
                              • API String ID: 323602529-0
                              • Opcode ID: b9b8dce10e813bc15690991e55419a2d45f75008f6fa38b4e4b94dc687bd8695
                              • Instruction ID: 5c01a9a706b3d8ac47335c4f5097fb4511e964ab0b94c26f36355d2e5bc3e058
                              • Opcode Fuzzy Hash: b9b8dce10e813bc15690991e55419a2d45f75008f6fa38b4e4b94dc687bd8695
                              • Instruction Fuzzy Hash: BA515971101B04DBD735CF29CA88BD6B7F4BB05718F448A2DD4AA4BB91DB35B549CB80
                              Function 6C85262F Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(6C879DD0,0000000C), ref: 6C852642
                              • ExitThread.KERNEL32 ref: 6C852649
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ErrorExitLastThread
                              • String ID:
                              • API String ID: 1611280651-0
                              • Opcode ID: e8fce4918029dbe831cfee8e2d2a1609056c44fbb1c1b78a0e4c07d4424747d0
                              • Instruction ID: 5e8e2ad783de4529c5c4902526a8894f657ca32eaa0089bd094c1ac1f017dd6d
                              • Opcode Fuzzy Hash: e8fce4918029dbe831cfee8e2d2a1609056c44fbb1c1b78a0e4c07d4424747d0
                              • Instruction Fuzzy Hash: F3F0C270A00204AFDB619BB4CA4DAAE3B74FF45309F244D69E00197B91DFB55964CBA1
                              Function 6C85E662 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: __wsopen_s
                              • String ID:
                              • API String ID: 3347428461-0
                              • Opcode ID: 8310a2d951860619d4c27c710ab1f73a10a598f856d25148575eb9157d7afe6b
                              • Instruction ID: cd2bdb87f4f38bab090a3d108dd42eb045411d3df6cf43f0650e34977485ed79
                              • Opcode Fuzzy Hash: 8310a2d951860619d4c27c710ab1f73a10a598f856d25148575eb9157d7afe6b
                              • Instruction Fuzzy Hash: 7C118C71A0420AAFCF05CF58E944D9B3BF8EF49308F104469F808AB311D670ED21CBA4
                              Function 6C8676EE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction ID: af6d2b468d7ef69a2a36eee07687897ebb76903597731f175fb378f37779031e
                              • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction Fuzzy Hash: C4018F72C0015DBFCF529FA88D00AEEBFB5AF09304F144565E924E2650E7318A24DBC0
                              Function 6C867B47 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,00000000,?,6C867805,?,?,00000000,?,6C867805,00000000,0000000C), ref: 6C867B64
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: 35a826aac60dbf5db3899d5e3d8d3016b236917f28f39bcec75709e896f3830a
                              • Instruction ID: 3145fe8812fb8ffef1a29111b50017f8adcab61ab7595027960b00e2c64de191
                              • Opcode Fuzzy Hash: 35a826aac60dbf5db3899d5e3d8d3016b236917f28f39bcec75709e896f3830a
                              • Instruction Fuzzy Hash: 75D06C3210014DBBDF128E84DC06EDA3BAAFB48715F014020BA1856020C732E861EB90
                              Function 6C7183A0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2216375148.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true
                              • Associated: 00000006.00000002.2216348049.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217709752.000000006C86B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2219690354.000000006CA37000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction ID: d70d430abfd1720446334063e5d8d3a719cd42cebf87692cc7785e7d39ae51b6
                              • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction Fuzzy Hash:

                              Non-executed Functions

                              Function 6C896092 Relevance: 21.8, APIs: 5, Strings: 6, Instructions: 2537COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C896097
                                • Part of subcall function 6C8991D6: __EH_prolog.LIBCMT ref: 6C8991DB
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $ $*$0UJ$@$@
                              • API String ID: 3519838083-862571645
                              • Opcode ID: e22172b2180ba6d381767f152ec73fcbe70747ea8cb959dd0ada97f8ed321326
                              • Instruction ID: 0b2f0832dc14a6f6e2bf067fa2631e896a16b65cfa58c1bfd53861c2f498f4bf
                              • Opcode Fuzzy Hash: e22172b2180ba6d381767f152ec73fcbe70747ea8cb959dd0ada97f8ed321326
                              • Instruction Fuzzy Hash: 5D337F30E002599FDF31DFA8CA90BDDBBB1AF45308F1088A9D409A7A51DB759E89CF51
                              Function 6C8E889F Relevance: 15.6, APIs: 6, Strings: 2, Instructions: 1591COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C8E88A4
                              • __aulldiv.LIBCMT ref: 6C8E8C4A
                              • __aulldiv.LIBCMT ref: 6C8E8C78
                              • __aulldiv.LIBCMT ref: 6C8E8D18
                                • Part of subcall function 6C8EA36D: __EH_prolog.LIBCMT ref: 6C8EA372
                                • Part of subcall function 6C8EA40E: __EH_prolog.LIBCMT ref: 6C8EA413
                                • Part of subcall function 6C8E9E78: __EH_prolog.LIBCMT ref: 6C8E9E7D
                                • Part of subcall function 6C8E424A: __EH_prolog.LIBCMT ref: 6C8E424F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog$__aulldiv
                              • String ID: L$b
                              • API String ID: 604474441-3566554212
                              • Opcode ID: d9657c234f8b039fc43015c1601217ec1c14bdfa2872b48e6b05b85763b47a84
                              • Instruction ID: 0f5c52d22573e310cce12fec354892a73e23b54f73780d63a59b62e1df07cac9
                              • Opcode Fuzzy Hash: d9657c234f8b039fc43015c1601217ec1c14bdfa2872b48e6b05b85763b47a84
                              • Instruction Fuzzy Hash: 3EE2B130D05259DFCF21DFA8CA90ADCBBB5BF1A308F1448AAD449A7B41DB706E49CB51
                              Function 6C8DB4AC Relevance: 8.7, APIs: 1, Strings: 3, Instructions: 1656COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C8DB4B1
                                • Part of subcall function 6C8DC93B: __EH_prolog.LIBCMT ref: 6C8DC940
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 1$`)K$h)K
                              • API String ID: 3519838083-3935664338
                              • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                              • Instruction ID: f8416e8984a33e54f31ccaaa9a35cca6e907abd6db371387a33f5150f73a55c9
                              • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                              • Instruction Fuzzy Hash: 9EF27D70900258DFDB21DFA8CA84BDDBBB5AF49308F254899E449EB741DB70AE85CF11
                              Function 6C8CDEEF Relevance: 8.3, APIs: 1, Strings: 2, Instructions: 3058COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C8CDEF4
                                • Part of subcall function 6C8D1622: __EH_prolog.LIBCMT ref: 6C8D1627
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $h%K
                              • API String ID: 3519838083-1737110039
                              • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                              • Instruction ID: 1d0b4a1af4b01f1908e0ca3a082979514dae9825db6b374bbbbdcd3acd6f5ae2
                              • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                              • Instruction Fuzzy Hash: 97538D30E01258DFDB25CBA8CA84BDDBBB4AF15308F1448E9D449A7791DB70AE89CF51
                              Function 6C8DF7F3 Relevance: 6.8, APIs: 1, Strings: 2, Instructions: 1546COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $J
                              • API String ID: 3519838083-1755042146
                              • Opcode ID: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                              • Instruction ID: 8f6bc5f0abae39b51116647e817967e8a3da184ee07d7663a3fe6504b971f238
                              • Opcode Fuzzy Hash: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                              • Instruction Fuzzy Hash: 35E2D430905389DFDF21CFA8C644BDDBBB0AF1A308F244899E854AB791CB74D945DB61
                              Function 6C8A9CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C8A9CE5
                                • Part of subcall function 6C87FC2A: __EH_prolog.LIBCMT ref: 6C87FC2F
                                • Part of subcall function 6C8816A6: __EH_prolog.LIBCMT ref: 6C8816AB
                                • Part of subcall function 6C8A9A0E: __EH_prolog.LIBCMT ref: 6C8A9A13
                                • Part of subcall function 6C8A9837: __EH_prolog.LIBCMT ref: 6C8A983C
                                • Part of subcall function 6C8AD143: __EH_prolog.LIBCMT ref: 6C8AD148
                                • Part of subcall function 6C8AD143: ctype.LIBCPMT ref: 6C8AD16C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog$ctype
                              • String ID:
                              • API String ID: 1039218491-3916222277
                              • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                              • Instruction ID: bd8e7e7fb23c4beefbfdb06d0efbbe47fcf21cdc4de55d7e8787e933c5a18187
                              • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                              • Instruction Fuzzy Hash: 83038C30805248DEDF35DBE8CA50BDCBBB0AF15308F1448AAD44567A91EB749F8ADF61
                              Function 6C8FF580 Relevance: 5.2, Strings: 4, Instructions: 153COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: 3J$`/J$`1J$p0J
                              • API String ID: 0-2826663437
                              • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                              • Instruction ID: 48a42b9fdb788f5e76d5b53972d5a2264c2b34e584400afb975a4095d9c5f60b
                              • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                              • Instruction Fuzzy Hash: 59411772F109601AB3488E3A8C855667BC3C7CA346B4AC23DD575C6AD9DA7DC40782A8
                              Function 6C8D3A52 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1212COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: W
                              • API String ID: 3519838083-655174618
                              • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                              • Instruction ID: bf228baf6eda136a6b9f24546be03eca7609960153120e300b4a68b5fea069e6
                              • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                              • Instruction Fuzzy Hash: 04B29D70A01259DFDB20CFA8C688B9DBBB4BF89308F254899E845EB751C775ED41CB60
                              Function 6C8C25EC Relevance: 4.5, APIs: 1, Strings: 1, Instructions: 995COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-3916222277
                              • Opcode ID: 6283ffce90d7722d82f06bf6062908a4dbdb23c6aa848be1631664cf1bbb550b
                              • Instruction ID: 84d37d49fe829ca008df8ce32a83bee8863d357a106125b6e88b5ddb3b640f7c
                              • Opcode Fuzzy Hash: 6283ffce90d7722d82f06bf6062908a4dbdb23c6aa848be1631664cf1bbb550b
                              • Instruction Fuzzy Hash: 2C92A130A01249DFDB25CFA8CA88BDDBBB1BF09308F144999E815AB791C774DD45CB62
                              Function 6C8D4F11 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 511COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-3916222277
                              • Opcode ID: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                              • Instruction ID: 7de52f6b7421133a01b9e7f283896f0e532381021c90b487528934cd91f121df
                              • Opcode Fuzzy Hash: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                              • Instruction Fuzzy Hash: 9D2249B0A003099FCB24CFA8C584BAEBBF1FF48308F10896AE4599B651D774E945CF90
                              Function 6C8C7896 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 333COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C8C789B
                                • Part of subcall function 6C8C8FC9: __EH_prolog.LIBCMT ref: 6C8C8FCE
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @ K
                              • API String ID: 3519838083-4216449128
                              • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                              • Instruction ID: 3388976ca9c10934b53f68ba69c34e9ebc1fc09a129422be04a7f3e423e0ed7d
                              • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                              • Instruction Fuzzy Hash: 36D10230F042099FDB24CFA8C690BDDB7B6FF94318F15886AD415ABA84CB34D945CB52
                              Function 6C87BEA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: x=J
                              • API String ID: 3519838083-1497497802
                              • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction ID: cdc6a7a068a5bdebe4173f459c8de17bfe05fc1773bf75ae14c8a9c694e49d5f
                              • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction Fuzzy Hash: F7919331D051099BCF34EFA8DA909EDB7B2BF15308F108879D46167A52FB315A49CBB0
                              Function 6C8E5521 Relevance: 2.6, APIs: 1, Instructions: 1105COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                              • Instruction ID: 19021ace929a0983cccae27ea4ad5efd01dada7b6eb5247ea2a0ec0c72f23b80
                              • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                              • Instruction Fuzzy Hash: 1BB29A30A04758CFDB31CF69C690BDEBBF1AF0A308F1049A9D59AA7A51D770A985CF10
                              Function 6C87B972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @4J$DsL
                              • API String ID: 0-2004129199
                              • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction ID: f8e887f23c554ce41013abfed2ad64950639f9f9760b163d9996ad08a4b4583e
                              • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction Fuzzy Hash: 0D219E37AA48564BD74CCA28EC33EB92680E744305B89527EE94BCB7D1DF6CC800DA4C
                              Function 6C89840A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C89840F
                                • Part of subcall function 6C899137: __EH_prolog.LIBCMT ref: 6C89913C
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                              • Instruction ID: 608234b13c4f07080e79836ca561ceeee62e11ec1c4f6670be0ffb3292558a09
                              • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                              • Instruction Fuzzy Hash: E8628E71D0121ACFDF25CFA8CA94BDDBBB1BF45308F14486AE815ABA80D7749944CF91
                              Function 6C8F0AD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: YA1
                              • API String ID: 0-613462611
                              • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                              • Instruction ID: c08b75f43f0c84d89d4629abb1da0ae7a4dec73c81e6bffed0592fb09daa407d
                              • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                              • Instruction Fuzzy Hash: 6C42D0706093808FD325CF28C59069ABBE2AFD9348F154E6DE8E58B742D771D80BCB42
                              Function 6C9167C0 Relevance: 1.9, APIs: 1, Instructions: 356COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID:
                              • API String ID: 3732870572-0
                              • Opcode ID: a13d6ee194fb01fface67b9907b125463793f568477540394d21f6f384e52076
                              • Instruction ID: 0ae3cb4ff030ffa9968f1186d1d49b746fd6a26cf811ab7243433eba6a0f6a3d
                              • Opcode Fuzzy Hash: a13d6ee194fb01fface67b9907b125463793f568477540394d21f6f384e52076
                              • Instruction Fuzzy Hash: 89E17D71A083458BD724CF29C881AAAB7F5FFC8314F14862EE859CBB55D730E945CB91
                              Function 6C8CAD43 Relevance: 1.8, APIs: 1, Instructions: 346COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                              • Instruction ID: 9c1af218d0ee8673ebc7ca636073c7e08afe7c2a9dff952310f67b311d2ac876
                              • Opcode Fuzzy Hash: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                              • Instruction Fuzzy Hash: 7AF13B70A00249DFCB24CFA8C690BEDBBB1BF04318F14896DD459ABA51D770EA59CF52
                              Function 6C918D90 Relevance: 1.8, Strings: 1, Instructions: 513COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                              • Instruction ID: b7a0969ee2c58ce6daeedaf42f8ec7def2bd0a0e274d804096429e9b1d5f8bde
                              • Opcode Fuzzy Hash: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                              • Instruction Fuzzy Hash: 52324AB1A083058FC318CF56C48495AF7E2BFCC314F468A5DE98997355DB74AA09CF86
                              Function 6C9197C0 Relevance: 1.7, Strings: 1, Instructions: 468COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                              • Instruction ID: a9c25630fa9f5d25e47141f4a682179e3f80c3b56a32e473bfb16552edd8d8e3
                              • Opcode Fuzzy Hash: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                              • Instruction Fuzzy Hash: 9A12F6B29083158FC358DF4AD44045BF7E2BFC8714F1A8A6EE898A7311D770E9568B86
                              Function 6C883BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: __aullrem
                              • String ID:
                              • API String ID: 3758378126-0
                              • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction ID: 07a596840b4d2e5c10df8b69d3124208482e3c88695e1a715c8a83ecc3bd9cca
                              • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction Fuzzy Hash: 6651F871A092459BD710CF5EC4C02EDFBE6EF79214F18C45EE88897642D27A4D8AC760
                              Function 6C8FCE80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                              • Instruction ID: 22fb60b4bfbb9f852e516c59e20090c1e5e6b6fed1148a1bcb3fb5dc018deccf
                              • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                              • Instruction Fuzzy Hash: 3B02A0316093408BD725CF28C69079EBBE2AFC9348F144E2EE6E597B51D7709946CB82
                              Function 6C919999 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                              • Instruction ID: 32fcd411607233ed301d69177ff04052fd71a72fb7c5b8fcd19b98a333a4d62f
                              • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                              • Instruction Fuzzy Hash: C1D13E729083148FC758DF4AD44005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                              Function 6C87F7CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: (SL
                              • API String ID: 0-669240678
                              • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction ID: a8ee00205b1dbd3e2f386dbfefe6d6147bd7fbb6e8146dfde15fc1c81dbaf821
                              • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction Fuzzy Hash: 97519473E248254AD78CCE24DC2177572D2E784310F8BC1B99D4BAB6E6DD78989087D4
                              Function 6C8EDB90 Relevance: .9, Instructions: 940COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                              • Instruction ID: ffabd2fff45a26ffa737a95cb8d7f381b0c761d217f665833508b30ce4da8f49
                              • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                              • Instruction Fuzzy Hash: 31728D716042178FD758CF18C590268FBE1FB89314B5A4AAED95ADB742EB70E8C5CBC0
                              Function 6C8F3020 Relevance: .8, Instructions: 762COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                              • Instruction ID: a0b6e29b67db386d0ee5f59ff615b556ae556227996bd15350bff6abe85e3187
                              • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                              • Instruction Fuzzy Hash: 91525131205B458BD329CF29C69066AB7E2BF95348F144E2DD4EAC7B41DB74F84ACB42
                              Function 6C90D930 Relevance: .7, Instructions: 740COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction ID: 70dd5f8054b4d9070ff5d53d0093a8e772a4be0fe5629d35e98c22bd46a15417
                              • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction Fuzzy Hash: 346203B2A093458FC714CF19C48061AFBF9BFC8744F248A2EE99987B15D770E945CB82
                              Function 6C90B950 Relevance: .7, Instructions: 697COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                              • Instruction ID: cd96d03af2d6d6aa276607cc5d61c91c48631dd26dabbae668842e0eb9f75322
                              • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                              • Instruction Fuzzy Hash: BB428C71704B068BD328DF69C890BAAB3F2FB84314F044A2DE896C7B95E774E549CB51
                              Function 6C8FA1F0 Relevance: .6, Instructions: 634COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bf70cfe04b665dc64369caa9c5f3f6957600806d567f090f737c69cac13e6594
                              • Instruction ID: 7962f5171d004703a757e292102d91e5232485e78c3e3726a5980146547bda6e
                              • Opcode Fuzzy Hash: bf70cfe04b665dc64369caa9c5f3f6957600806d567f090f737c69cac13e6594
                              • Instruction Fuzzy Hash: E2329071A0025A8BDB24CF18C9D06DE7BA2FF893A4F15893DEC659B740D770E952CB90
                              Function 6C8F6D50 Relevance: .5, Instructions: 547COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                              • Instruction ID: b5192e360972fbf90afa8a06455edf756c0c9eb2b26055faefdf874026563d59
                              • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                              • Instruction Fuzzy Hash: 291291712097458BD728CF28C6D065AFBE2BFC8384F544E2DE9A687B41DB31E846CB51
                              Function 6C907489 Relevance: .5, Instructions: 519COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                              • Instruction ID: 59cd5e3f926e5f9a8f91d1ac02bf57e0780fb472be47c4f1771caacea532a67c
                              • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                              • Instruction Fuzzy Hash: 1902C673B487514BD714CE1DC880239BBE3BBC0790F6A4A2DE89587B94DBB0D946C791
                              Function 6C907AA0 Relevance: .5, Instructions: 474COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction ID: 1175c4ecbcf19b2ce58190ae50e13a130cc0e36fa85009d894beadc9f232e9f7
                              • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction Fuzzy Hash: BD02FA72B082128BD319CE28C490379BBF2FBC4365F150B2EE49697A94D774D985CB92
                              Function 6C911600 Relevance: .5, Instructions: 470COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                              • Instruction ID: b52ccf5bce94a6b50fc8ae192c4e65c598674af4c31834a92b56d2cfc5e77da5
                              • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                              • Instruction Fuzzy Hash: E712E330608B558FC328CF2EC490666FBF2AF96304F188A6ED1D687BA5D735E548CB51
                              Function 6C8F2A50 Relevance: .5, Instructions: 453COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                              • Instruction ID: 47611f772e54c5bc76720d9e3e1ca50fb5d895edf26308fa55fdcfc2f90148bc
                              • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                              • Instruction Fuzzy Hash: 45F110326042C98BEB34CE28D9947EEB7E2FBC1344F54493DD899CBB41DB39950A8791
                              Function 6C8F9D10 Relevance: .4, Instructions: 429COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                              • Instruction ID: 96809ff7cc975953e84990e843ecb320366d7a05d5a8805e12d7fc80657cf6ad
                              • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                              • Instruction Fuzzy Hash: 0BE1DD31604B048BE734CE28D5A03AAB7E2EBC4394F544E3DC5A687B81DB75A54ACB91
                              Function 6C911BC0 Relevance: .4, Instructions: 399COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                              • Instruction ID: 66186b4c1629ce254fb781928026216aa4ede995df6eafa6d56ef92082d802ae
                              • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                              • Instruction Fuzzy Hash: 64F1D070608B558FC328CF2DD491226FBE2BF9A304F188A6ED1D68BB91D339E554CB51
                              Function 6C90F8D0 Relevance: .4, Instructions: 383COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                              • Instruction ID: 9b7e476d0a9146de290bd8163b42695aa55d2efa5402ef666ddbcd8e115a6dc8
                              • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                              • Instruction Fuzzy Hash: FBF1E570608B628FC329CF29C490266FBF1BF85308F188A6ED5D687B91D339E255CB55
                              Function 6C8F9900 Relevance: .3, Instructions: 341COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                              • Instruction ID: aa581b3aa43cd068e6d9e3f7b9a43dca69b56e9381ba0080c7a5ead02d163372
                              • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                              • Instruction Fuzzy Hash: 10C1D171604B068BE338DF2DC5906AAB7E2FBC4354F158E3DC1AA87B55D630B496CB81
                              Function 6C9025C0 Relevance: .3, Instructions: 333COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                              • Instruction ID: c07ce521b921fe54bd9a8c4996a94480ad1246df5418338505a4c422a1f71bf4
                              • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                              • Instruction Fuzzy Hash: 21D10071605A168FD719CF1CC4A8636BBE5FF86304F054ABDDAA28B38AD734E505CB50
                              Function 6C917DE0 Relevance: .3, Instructions: 333COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                              • Instruction ID: fa72a2ae2ed182908d097a2a0e9303ebc8e719ffc7d7dd0e105f6e6534cf295a
                              • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                              • Instruction Fuzzy Hash: 17E1E7B18047A64FE398EF5CDCA4A3577A1EBC8300F4B427DDA650B392D734A942DB94
                              Function 6C9010E0 Relevance: .3, Instructions: 320COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                              • Instruction ID: 2ede878ecca5b2b30150c5304a1a4e0e900dd5f5c85b22ab759093dcd07e9848
                              • Opcode Fuzzy Hash: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                              • Instruction Fuzzy Hash: 82B17EB17062518FC340CF2DC8802597BA2BBC626D77587ADD4A49FA5AD336E847CB90
                              Function 6C8F5580 Relevance: .3, Instructions: 316COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction ID: 9aec492166e5c6340cdeb39d7f16725a75ea81ea8c229ab1f4fe87c639dc1a0a
                              • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction Fuzzy Hash: EDC1D4352047458BC728CF3DD1A02A7BBE2EFDA354F148A6DC4DA4BB55DA30A80ECB55
                              Function 6C9014D0 Relevance: .3, Instructions: 307COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                              • Instruction ID: c728b03e649f150acbd925b6a301cc1c126f93eb149be787a5ee702a73470f58
                              • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                              • Instruction Fuzzy Hash: 7EB17E72B052418FC341CF29C880255BBA6FF8636DB79969EC8948F646D337E847CB91
                              Function 6C917870 Relevance: .3, Instructions: 298COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                              • Instruction ID: 8e7e50efb8cd4fe22d2a84672109dfa8632bd2fdb985aa820cc64d3bd83d6abf
                              • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                              • Instruction Fuzzy Hash: C4D1F7B1848B9A5FD394EF4DEC82A357762AB88301F4A8239DB6007753D634BB12D794
                              Function 6C8F1810 Relevance: .3, Instructions: 296COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                              • Instruction ID: 7f64f5c19ba235b9f35dd5479ac7b3f1547a37edc418931f0a3c8c6268f5a04e
                              • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                              • Instruction Fuzzy Hash: 02B1D271305B458BD324DE39CA90BDAB7E1AF91388F044D2DC5BA87B91EF34E50A8790
                              Function 6C8F4AA0 Relevance: .3, Instructions: 291COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                              • Instruction ID: 11b9f2a4b5d2d96182aed4d95f85df4fec944ca525d97684a4211d8d3c724c73
                              • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                              • Instruction Fuzzy Hash: 6BB1BE756087028BC314DF29C9906ABF7E2FFC8304F14892EE4A9C7711E771A55ACBA5
                              Function 6C8FC9F0 Relevance: .3, Instructions: 287COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                              • Instruction ID: 19d9ed4223197a61e387c60ac216b70bee9c339d2c3f266a220525d0b77567d4
                              • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                              • Instruction Fuzzy Hash: 8AA1C47160C3418FC338DE2DC59069ABBE1ABD5388F544E2DE4E687742D631EA4BCB46
                              Function 6C8F75D0 Relevance: .2, Instructions: 224COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                              • Instruction ID: 24f24bab4232fe1b287cde7eacc4764833fcc33363136308214c1d73113225f7
                              • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                              • Instruction Fuzzy Hash: 95617EB23182158FE308CF69E690A96B3E9EB99361B1685BFD115CF361E731DC42C718
                              Function 6C8FC6E0 Relevance: .2, Instructions: 223COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                              • Instruction ID: 98ce5e0852b6e8070519dc60f073fd7fdefd7cbdebe75b2ef80dbe3a422a3abd
                              • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                              • Instruction Fuzzy Hash: C581A035A047058FC330DF29C180296B7E1FF99754F288A6DC5A99B711E772EA47CB81
                              Function 6C90A8C8 Relevance: .2, Instructions: 216COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bad25785083197e856f7efe8fa90cb69a131f3ade8fb02bcfdd4a6e94dde6a99
                              • Instruction ID: afcb411df55975940de24dd02809fef6eaf252309655b087bc1ca2528644d64f
                              • Opcode Fuzzy Hash: bad25785083197e856f7efe8fa90cb69a131f3ade8fb02bcfdd4a6e94dde6a99
                              • Instruction Fuzzy Hash: 3FA1AE71A0824A8FD729CF19D490AAEB7F2FF84308F158A2DE4868B351D735E555CB81
                              Function 6C90B520 Relevance: .2, Instructions: 216COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                              • Instruction ID: 724eeac1dd852b0a0158f44fbbb7bea439ac1f9cea631bf401a7f3c1ae2c1799
                              • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                              • Instruction Fuzzy Hash: C8918072D1871A8BD314CF18D88026AB7E0FB88318F49067DED9997341D739EA55CBC5
                              Function 6C893B66 Relevance: .2, Instructions: 167COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction ID: 23e72b2a665decfc0c4912eebefea8a88e93d655a9a16255f5a4559de07a321d
                              • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction Fuzzy Hash: 72519F76F006099BDB18CE9CDEA16EDB7F2EB88308F248569D119E7781D7749E41CB80
                              Function 6C8EE650 Relevance: .2, Instructions: 154COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a5df0ff16b053d8fcfcdee403e066c8bbf8aa7f46747348a699df34f7397b1a9
                              • Instruction ID: cb8ce9fb92c40fb8b662d8f96f043de3cb3f0a54be28bd4878a9550cdbee1f0b
                              • Opcode Fuzzy Hash: a5df0ff16b053d8fcfcdee403e066c8bbf8aa7f46747348a699df34f7397b1a9
                              • Instruction Fuzzy Hash: 8B518C30A083468BD320DF5EC980606B7E1FF9E348F248A6DE99487712D772E906CBD1
                              Function 6C895EC9 Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction ID: ecb98808d764d93d34f1bca71bb85849a618b6f67c6fc84f2b110807151d0500
                              • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction Fuzzy Hash: 2D3114277A450103C71CC92BCD1279FA1575BD422A75ECF396805CAF59D52CC8164144
                              Function 6C902050 Relevance: .1, Instructions: 123COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9e60619b53f5733759f851c7e89353584e6ca2cea002716f3001e8b4c6fadb46
                              • Instruction ID: 86146e137f329b1cf6aea218230301f8312c3ada4c74aeee661f49b0ac4c90e2
                              • Opcode Fuzzy Hash: 9e60619b53f5733759f851c7e89353584e6ca2cea002716f3001e8b4c6fadb46
                              • Instruction Fuzzy Hash: 00314A73B04E060BF340851ACD4C36A7267DFC2378F1A873CDA6687EADDA71D6468140
                              Function 6C901EF0 Relevance: .1, Instructions: 123COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                              • Instruction ID: 011af794734a63f4d18c57210033a7ee9f75a787651123b36d4f750ae7187a5a
                              • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                              • Instruction Fuzzy Hash: 8E31E273704E064AF300852AC988366732BDBC23ACF69876DDA6697EECCB71D856D140
                              Function 6C909820 Relevance: .1, Instructions: 112COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                              • Instruction ID: 4a165e225c2ed315fc939f9e2204a86bc3b88b0101d4fe5a37e3a23f8ab6ef91
                              • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                              • Instruction Fuzzy Hash: A041C172A047068FD704CF19C89056AB3E4FF88318F454A6DED5AA7381E331FA15CB81
                              Function 6C9176C0 Relevance: .1, Instructions: 88COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                              • Instruction ID: 4c8ea6801fcf9a02e22543e4efd1e3f5bbafeba7e5ea5e3f559e81c6f31278d7
                              • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                              • Instruction Fuzzy Hash: 78214871A08BAB07F7219E6DCCC137577929BC1305F094279D9A08FA87D179C4A2D660
                              Function 6C91D91A Relevance: .1, Instructions: 73COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                              • Instruction ID: 8101edb333d597258d57500d79384d926d1556b2a80d6706629831d3fc6e9efd
                              • Opcode Fuzzy Hash: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                              • Instruction Fuzzy Hash: A621377351982947C302DF2DE888677B3E1FFC431DF638A3AD9918BA81C624D440CA90
                              Function 6C91DA00 Relevance: .1, Instructions: 73COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                              • Instruction ID: 340af8c03195a12b4895172ac15d333ff8037ae35b9ae4a0e31c8974b3e10ecb
                              • Opcode Fuzzy Hash: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                              • Instruction Fuzzy Hash: 1B2102336091188FC702EF6AD88469B73E6EFC8365F67C63DED8147A44C630E60686A0
                              Function 6C91C700 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                              • Instruction ID: 5cd2f6334575fe3a21440221ff6fea2699a9d5ae6b4e4e409aa42764de74d3f0
                              • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                              • Instruction Fuzzy Hash: 79219077320A0647E74C8A38D83737532D0A705318F98A22DEA6BCE2C2D77AC457C385
                              Function 6C900380 Relevance: .1, Instructions: 64COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 64767f10f9c171ab935b0bf025eacf772035bcd2eb799dcdd82e02b09b12ee02
                              • Instruction ID: f50066192299299a9359e9d86c9416678cba55cb7595d45004c38b8eb8685082
                              • Opcode Fuzzy Hash: 64767f10f9c171ab935b0bf025eacf772035bcd2eb799dcdd82e02b09b12ee02
                              • Instruction Fuzzy Hash: CA2190327193428FC308DF58D88096BBBE6FFC9210F15857DE9848B351C635E906CB91
                              Function 6C900280 Relevance: .1, Instructions: 61COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 48f6a5bdde1c9cea4668397cf668c04db0f725afa69fc77866d080b4e5372864
                              • Instruction ID: 3aa7d0149b45ec0591e871719cbdfe11996d6b533d4c04dbb9e81cdac2453f94
                              • Opcode Fuzzy Hash: 48f6a5bdde1c9cea4668397cf668c04db0f725afa69fc77866d080b4e5372864
                              • Instruction Fuzzy Hash: 58118E723183864BC308CE1DDC90976BBE5FBC9200F24497DE985C7341CA25D906DB95
                              Function 6C912640 Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 94bd1a651729923c4c8d3d4bf4c81e233e4e8cf0a286e62590c7b03c1869421d
                              • Instruction ID: f1d8a020b261fbb19b5a6304ccdd5a85efdf446645611d4abf5afb87909e8927
                              • Opcode Fuzzy Hash: 94bd1a651729923c4c8d3d4bf4c81e233e4e8cf0a286e62590c7b03c1869421d
                              • Instruction Fuzzy Hash: 300121652A668989D781DA79D490748FE80F757203F9CC3F4E0C8CBF42D599C54BC3A1
                              Function 6C9097A0 Relevance: .0, Instructions: 41COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                              • Instruction ID: f7b2336b469706c60551e32513aee687a84881d2b7e3c7f1300d0fe4b7389563
                              • Opcode Fuzzy Hash: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                              • Instruction Fuzzy Hash: 74016D7291462A57D7189F48CC41136B390FB85312F49823ADD469B385E635F970C6D4
                              Function 6C91A700 Relevance: .0, Instructions: 13COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                              • Instruction ID: 9e775abeed684ca77467d17cca6977048c68fff2285a19e0a564aa4dd6adc1c9
                              • Opcode Fuzzy Hash: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                              • Instruction Fuzzy Hash: 27C002F6609606AF970CCF1FA480415FBE9FAD8321324C23FA02DC3700C77198258B64
                              Function 6C8B1B50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                              • API String ID: 3519838083-609671
                              • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction ID: ad3ca48338b3a4a93e8b55390a055b783809f5db82153e12d0a2491ab2ab1ac3
                              • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction Fuzzy Hash: 02D18271A0420ADFCB21CFA4DA90AEEB7B5FF05318F144929E055BBB50DB74E949CB60
                              Function 6C8DABB3 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 406COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: L$L'K$T'K$\'K$d'K$p'K$)K
                              • API String ID: 3519838083-3887797823
                              • Opcode ID: 47b27f50cc51f1a94238cd0256452db9f2d92a2e889979d702001e9d19a1f323
                              • Instruction ID: df1acbd58be3638814d7b46891d3895ac356e298c69ff1a09233666a021d0b6c
                              • Opcode Fuzzy Hash: 47b27f50cc51f1a94238cd0256452db9f2d92a2e889979d702001e9d19a1f323
                              • Instruction Fuzzy Hash: 5C02D670901249DFCB30CF58CA90ADDFBB5BF05318F6549AED059A7A50D730BA89CB61
                              Function 6C8C8B6F Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 151COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C8C8B74
                                • Part of subcall function 6C8C8AC2: __EH_prolog.LIBCMT ref: 6C8C8AC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: DJ$H K$L K$P K$T K$X K$\ K
                              • API String ID: 3519838083-3148776506
                              • Opcode ID: 1e695b17fc03ab30503818bc101f4fbde075140751d540bd7eda0f269636307e
                              • Instruction ID: 11c247c6547f28d661f09d4798ae728598d17368218daabf0bd9716782946ce5
                              • Opcode Fuzzy Hash: 1e695b17fc03ab30503818bc101f4fbde075140751d540bd7eda0f269636307e
                              • Instruction Fuzzy Hash: A9518330B411099BCF34EB68C680AEEB371AB9131CF10CD2BD9616BB81DB79D909D752
                              Function 6C8C6CB2 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 347COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $ $$ K$, K$.$o
                              • API String ID: 3519838083-1786814033
                              • Opcode ID: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                              • Instruction ID: 32f18a02ec073adaf0b42e5437278d949aca5883e4892293a463a71dee88883c
                              • Opcode Fuzzy Hash: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                              • Instruction Fuzzy Hash: 3DD1C331B0525D8BCF21CFA8C6907EEBBB2BF49308F244A7AC455A7A41C771D945CB62
                              Function 6C899798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: __aulldiv$H_prolog
                              • String ID: >WJ$x$x
                              • API String ID: 2300968129-3162267903
                              • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction ID: 169bd47fa8311b73d97ec4a8c34396fbcf2a9f6802c6ac85110a2adbd7fde012
                              • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction Fuzzy Hash: 5C128A71900219EFDF20DFA8CA80AEDBBB5FF49318F20896DE819A7A50D7359945CF50
                              Function 6C887FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: __aulldiv$__aullrem
                              • String ID:
                              • API String ID: 2022606265-0
                              • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction ID: 149990047fafe9bac94522268b1cb38252e65dcaa97d4c4ab692e007031dc69e
                              • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction Fuzzy Hash: FA21E13094621DFEDF20DE948E80DCF7A69EF613B8F208626B520A1E90D7728D54D661
                              Function 6C88D6EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C88D6F1
                                • Part of subcall function 6C89C173: __EH_prolog.LIBCMT ref: 6C89C178
                              • __EH_prolog.LIBCMT ref: 6C88D8F9
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: IJ$WIJ$J
                              • API String ID: 3519838083-740443243
                              • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction ID: 186ae9709ec27bfbd628df77362b67c97195b0038ea52e3ca9181fb8dd0470db
                              • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction Fuzzy Hash: 02718E30905259DFDB24DFA8C540BDDB7B0BF15308F1088ABD8556BB91DB74BA09CBA1
                              Function 6C8D684E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C8D6853
                                • Part of subcall function 6C8D65DF: __EH_prolog.LIBCMT ref: 6C8D65E4
                                • Part of subcall function 6C8D6943: __EH_prolog.LIBCMT ref: 6C8D6948
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: ((K$<(K$L(K$\(K
                              • API String ID: 3519838083-3238140439
                              • Opcode ID: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                              • Instruction ID: f9b3ef32d1fc19b9512592851f495b65cbb103a054e83bf25a6b06e5d230034b
                              • Opcode Fuzzy Hash: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                              • Instruction Fuzzy Hash: 34212AB0901B44DEC734DF6AC64469AFBF4AF54308F108E6F80A687B50DBB46A488B65
                              Function 6C8A1418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C8A141D
                                • Part of subcall function 6C8A1E40: __EH_prolog.LIBCMT ref: 6C8A1E45
                                • Part of subcall function 6C8A18EB: __EH_prolog.LIBCMT ref: 6C8A18F0
                                • Part of subcall function 6C8A1593: __EH_prolog.LIBCMT ref: 6C8A1598
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: &qB$0aJ$A0$XqB
                              • API String ID: 3519838083-1326096578
                              • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction ID: 74ee6859ff83bb1b072f0e73b4efc63abf8b62e187cfe0ea2582560680762d42
                              • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction Fuzzy Hash: 7A217971D01258EECB24DBE8DA819EDBBB5AF25308F20443ED41227781EB749E0DCB61
                              Function 6C8C9E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $!$@
                              • API String ID: 3519838083-2517134481
                              • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction ID: abda09b771b002d264a727a07753ff6e705832cab9e10962c51ec880702de265
                              • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction Fuzzy Hash: EB127D70A05249DFCB24CFA8C6D0ADDBBB1FF08308F14886AE455ABB51D735E945CB62
                              Function 6C895B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog__aulldiv
                              • String ID: $SJ
                              • API String ID: 4125985754-3948962906
                              • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction ID: 05a29eba5d575dc5d5d2a46a154f6433f84c4d3e968f065a5b770f72d806b5e6
                              • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction Fuzzy Hash: 42B16071D05309DFCB24CF99CA905AEBBB1FF48319F608A2ED416A7B50C731AA45CB50
                              Function 6C8991D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $CK$CK
                              • API String ID: 3519838083-2957773085
                              • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                              • Instruction ID: f297e44aef86c1db9ce5bc306bc6272c3e9ff6868e65d6d43f91791bc284e1df
                              • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                              • Instruction Fuzzy Hash: 4B219271E012058FCB24DFEDC5C01EEB7B2FB95324F144A2EC426A7B91C7744A06CAA2
                              Function 6C8B0584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0$LrJ$x
                              • API String ID: 3519838083-658305261
                              • Opcode ID: 95611479d40a215ec944db407e0a8f4bd880271165c87792ba86edb23d6a866c
                              • Instruction ID: 08998ac95a6a2edc88711a523ebe7f40e7c89632cb4cd8c984c386c97aa231c7
                              • Opcode Fuzzy Hash: 95611479d40a215ec944db407e0a8f4bd880271165c87792ba86edb23d6a866c
                              • Instruction Fuzzy Hash: 08215E72D0111D9ACF24DBD8CB90AEEB7B5EF99308F20096AD40177741EB755E08CBA1
                              Function 6C8A7EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C8A7ECC
                                • Part of subcall function 6C89258A: __EH_prolog.LIBCMT ref: 6C89258F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: :hJ$dJ$xJ
                              • API String ID: 3519838083-2437443688
                              • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction ID: a5b9ecc8946dd34b6e5e87acf4283b8a7244c2e59558f4fec04f082cc7c92726
                              • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction Fuzzy Hash: F821C9B0811B40DFC770CF6AC14428ABBF4BF29708B008D6EC0AA97B11E7B8A509CF55
                              Function 6C8C61B5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C8C61BA
                                • Part of subcall function 6C8C6269: __EH_prolog.LIBCMT ref: 6C8C626E
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: J$0J$DJ
                              • API String ID: 3519838083-3152824450
                              • Opcode ID: ae61c101c46c5c8fb0edf6ab07ecac335665618d15e9b15e4cd2ad5cdca4aa88
                              • Instruction ID: b678cffad00979ccabc7c833a97e70e8e667f191703ed8062669d78f948237aa
                              • Opcode Fuzzy Hash: ae61c101c46c5c8fb0edf6ab07ecac335665618d15e9b15e4cd2ad5cdca4aa88
                              • Instruction Fuzzy Hash: FE11D4B1901754CFC720CF5AC5986D6FBE0FB25304F54C86E90AA87711D7B4A508CB65
                              Function 6C89ED0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: <J$DJ$HJ$TJ$]
                              • API String ID: 0-686860805
                              • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                              • Instruction ID: 50f3bcf85e52dbea7468dba7bea8d935a893b26b8162cda8eedaef00c04427f4
                              • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                              • Instruction Fuzzy Hash: 7A416571C05249ABCF34DFADD6908EEBB74BF11208B10897ED02167D51EB35AA49CB91
                              Function 6C8EC300 Relevance: 6.3, Strings: 5, Instructions: 49COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: ,3K$,3K@3KP3K$@3K$P3K$p3K
                              • API String ID: 0-3393562052
                              • Opcode ID: 56e76445033a99da05fe192590a15bb20ec13d4a39ad9bab330bef12182d4e5a
                              • Instruction ID: 5a4e981b8dd4db35f842ddc4d9f9d1f8526fb4acbcf397d9a7d6770e767346ac
                              • Opcode Fuzzy Hash: 56e76445033a99da05fe192590a15bb20ec13d4a39ad9bab330bef12182d4e5a
                              • Instruction Fuzzy Hash: CE2106B1580B419FC320CF1AC48979BFBF4FB15754F50DA2ED5AA57A40C7B8A608CB98
                              Function 6C881072 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 398COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C881077
                                • Part of subcall function 6C880FF5: __EH_prolog.LIBCMT ref: 6C880FFA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: :$\
                              • API String ID: 3519838083-1166558509
                              • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                              • Instruction ID: 083e6fa817d5fcb7009e9323655db0d27684a53abfb70a6b34570cafbe933aa3
                              • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                              • Instruction Fuzzy Hash: F9E1C1309022099ACB31DFA8CA90BEDB7B1AF0531CF10492DD4666BED1EF74E949CB51
                              Function 6C8D6BED Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 373COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: x'K$|'K
                              • API String ID: 3519838083-1041342148
                              • Opcode ID: a25bbfd597e839604be9dc74c608115d2298b3d137bba62e84176c22df84cc64
                              • Instruction ID: b6fde292f47f0db02053f7661008e4238b1112ab264713f6a5d111dafc1c40c2
                              • Opcode Fuzzy Hash: a25bbfd597e839604be9dc74c608115d2298b3d137bba62e84176c22df84cc64
                              • Instruction Fuzzy Hash: 53D1F830844B4E9ACB30DF68DB90AEEB771AF02308F264D2DD06693DD5DB65794AC721
                              Function 6C8A6C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$hfJ
                              • API String ID: 3519838083-1391159562
                              • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                              • Instruction ID: dfa4aad17ff646fc02ee8b7c06f3d37d3fcce4a28142e2959d214f5806ea8f9b
                              • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                              • Instruction Fuzzy Hash: 3C913B70910609DFCB20DF99C9949DEFBF4BF18308F54492EE455E7A50E774AA49CB20
                              Function 6C89BC58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C89BC5D
                                • Part of subcall function 6C89A61A: __EH_prolog.LIBCMT ref: 6C89A61F
                                • Part of subcall function 6C89AA2E: __EH_prolog.LIBCMT ref: 6C89AA33
                                • Part of subcall function 6C89BEA5: __EH_prolog.LIBCMT ref: 6C89BEAA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: WZJ
                              • API String ID: 3519838083-1089469559
                              • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction ID: e36e2f93ac84435e72675d815e94781ff197f87506b79d82db093891327deee5
                              • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction Fuzzy Hash: F8814D31D00158DFCF35DFA8D690AEDB7B5AF18318F1048AAE51567B91DB30AE49CB60
                              Function 6C8C95B2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: CK$CK
                              • API String ID: 3519838083-2096518401
                              • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                              • Instruction ID: abbb32b78d91226aabd42f4ced68ee64d953d1b2a4d1c68274e44986cb3656ef
                              • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                              • Instruction Fuzzy Hash: 0F51AE75B003099FDB14CFA4D9C0BEEB3B5FB89318F148869D901ABA81DB74E9058B61
                              Function 6C8A2F9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: <dJ$Q
                              • API String ID: 3519838083-2252229148
                              • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                              • Instruction ID: 0120f1193a06c6e63f0a49265c2a0ad50b27dba1101b89783bbd75f96272b518
                              • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                              • Instruction Fuzzy Hash: 8E516D71904249EBCF21DFD9C9808EDB7B1BF49318F10892EF515ABA50E7759E4ACB10
                              Function 6C89E9B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $D^J
                              • API String ID: 3519838083-3977321784
                              • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                              • Instruction ID: 5ed206a5e2a9f52376e04d4e9c92ce9c3eb078bc57f48fd6cfb6110f749aefd0
                              • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                              • Instruction Fuzzy Hash: CC410520A045A46ED7369B2CC6907EDFFE1BF27208F188D78C49217E91DB65598AC3D0
                              Function 6C8B0B66 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 8)L$8)L
                              • API String ID: 3519838083-2235878380
                              • Opcode ID: 1ee38908214ddba89c01b11f8f662c4b80f228d5f64c7dd9e77453d2deb43dcf
                              • Instruction ID: 814ac133fb204621fdc19e1994564df74859469e190886a7aa75510783703934
                              • Opcode Fuzzy Hash: 1ee38908214ddba89c01b11f8f662c4b80f228d5f64c7dd9e77453d2deb43dcf
                              • Instruction Fuzzy Hash: 4451BC71201640CFD7349B68CBA0ADEBBE1FF85308F54492ED19AABB61DB307848CB54
                              Function 6C8AE606 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: qJ$#
                              • API String ID: 3519838083-4209149730
                              • Opcode ID: e1f34668789bc69a62d5b524bab96a8de5a2ccca07942ae6dd88fce0d8712790
                              • Instruction ID: e8efc3bc6c103a5c35e957beb7bbf3396e37200cbd9e2d25dded51d13292dc2c
                              • Opcode Fuzzy Hash: e1f34668789bc69a62d5b524bab96a8de5a2ccca07942ae6dd88fce0d8712790
                              • Instruction Fuzzy Hash: AB516C75900249DFCF20CFE8C6809DDBBB5AF09318F148959E815A77A1D734EE1ACBA1
                              Function 6C8A314A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: PdJ$Q
                              • API String ID: 3519838083-3674001488
                              • Opcode ID: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                              • Instruction ID: d8554490bf1c656ee55463429b00c723232c1c27aff4af6bdb37122bb0fd2a56
                              • Opcode Fuzzy Hash: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                              • Instruction Fuzzy Hash: 8B41B271D00209DBCB20DFE9CA504EDF3B1FF49319B10892EE525A7A50D7319E46CB90
                              Function 6C8B812C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: X&L$p|J
                              • API String ID: 3519838083-2944591232
                              • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                              • Instruction ID: 56d8ba678761f15ddedbeb6b1a6b7f3662f12e8c2e03758a5863e90c1d32e35b
                              • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                              • Instruction Fuzzy Hash: 7431F831686D0BDBD730AB5CDB01BAE7761EB11718F20092FD510B7FA2CB7099858A54
                              Function 6C8B7C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0|J$`)L
                              • API String ID: 3519838083-117937767
                              • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction ID: 34459615737f6c6b1b8cdf6be8ee25e490ae5708c039cdf03236d33fd95b207b
                              • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction Fuzzy Hash: 6C419131601785EFDB319F64CA907AEBBE2FF45209F044C2EE05A67B51DB316908CBA1
                              Function 6C8BACB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID: 3333
                              • API String ID: 3732870572-2924271548
                              • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                              • Instruction ID: 90570a3d508f476b49c6d3e0cc6f3cf23de8c4e730ca902600bf9df22000134d
                              • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                              • Instruction Fuzzy Hash: 9621B7B1A447046ED730CFA98981B9BBAFCEB94715F148D2EA146E3F40DB70ED088765
                              Function 6C8AE77E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: #$4qJ
                              • API String ID: 3519838083-3965466581
                              • Opcode ID: 84a8eb9074b6f9089a1fd02d6bcb4d7259a4313f9f2765f71615d484bdca8079
                              • Instruction ID: 748e29597ad3b57d1bb2c365182bb4d9ef9a302d91cfa6500b602028cfef6ad3
                              • Opcode Fuzzy Hash: 84a8eb9074b6f9089a1fd02d6bcb4d7259a4313f9f2765f71615d484bdca8079
                              • Instruction Fuzzy Hash: F331EE35A04229DFDB24CF99CA40AAE73B4AF49318F004C68E81167B50D770AD16CBA0
                              Function 6C8B3906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$LuJ
                              • API String ID: 3519838083-205571748
                              • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction ID: e469d543b09654080c1cebfe27ad40ee31b65a240ed9206a55faa4c5402a91ad
                              • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction Fuzzy Hash: 41016171E05209DBDB20DF9985805AEF7B4EF66704F40882EE565F3B41C774AA04CB55
                              Function 6C88F0AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$xMJ
                              • API String ID: 3519838083-951924499
                              • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                              • Instruction ID: a2227b918c91b42c56018fe9923c1c8a628495e12da819a930d65e6c34dc9472
                              • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                              • Instruction Fuzzy Hash: 75113C75A02209DBCB11CFE9C59059EB7B4FF68308B90C86EE469E7B40D3349A45CB95
                              Function 6C8DF5D5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: p/K$J
                              • API String ID: 3519838083-2069324279
                              • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                              • Instruction ID: 4f7d5870f168f19de03310c8a0c3a40f9058d0a2d7905d297713899b63a98012
                              • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                              • Instruction Fuzzy Hash: 8F019EB1A157059FD724CF59D6053AEB7F4EB55718F10C82EA06293B50C3F8A9088BA4
                              Function 6C8C0180 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C8C0185
                                • Part of subcall function 6C8C022B: __EH_prolog.LIBCMT ref: 6C8C0230
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: J$0J
                              • API String ID: 3519838083-2882003284
                              • Opcode ID: 5025c659522292fd6d13656942a962c3f91794ff08eea141c4429de393d252e1
                              • Instruction ID: de06579b9252918e7c8e666774d8552afac5c42c22900cc0e822f919ce6beb5a
                              • Opcode Fuzzy Hash: 5025c659522292fd6d13656942a962c3f91794ff08eea141c4429de393d252e1
                              • Instruction Fuzzy Hash: 5811A5B0911B108BC3248F1AC4541D6FBF4FFA5754F40C91FC4AA87B20C7B8A5588F98
                              Function 6C8BDFC7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C8BDFCC
                                • Part of subcall function 6C8BD4D1: __EH_prolog.LIBCMT ref: 6C8BD4D6
                                • Part of subcall function 6C8BC14B: __EH_prolog.LIBCMT ref: 6C8BC150
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: J$0J
                              • API String ID: 3519838083-2882003284
                              • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                              • Instruction ID: a83d35264cf53e64cbf479935ccca0845bb794901aa6f74163fe24d54fcf100b
                              • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                              • Instruction Fuzzy Hash: 970105B1804B55CFC325CF59C5A428AFBE0BB15308F90CD6EC0AA57B50D7B8B508CB68
                              Function 6C8DE434 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C8DE439
                                • Part of subcall function 6C8DE4BA: __EH_prolog.LIBCMT ref: 6C8DE4BF
                                • Part of subcall function 6C8C022B: __EH_prolog.LIBCMT ref: 6C8C0230
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: D.K$T.K
                              • API String ID: 3519838083-2437000251
                              • Opcode ID: 4bf8c15ffd7a86929b4665866baf81e9eeb815ebced635067bbf52e837154634
                              • Instruction ID: 2b1239158fb6c61a1719e8683a368f7093d81e27c481e1af4cf24b94b4b7ed0b
                              • Opcode Fuzzy Hash: 4bf8c15ffd7a86929b4665866baf81e9eeb815ebced635067bbf52e837154634
                              • Instruction Fuzzy Hash: 76011E70911B558FC725CF69C5542CABBF0AF19704F008D6E80AA97B40E7B4AA08CB95
                              Function 6C8B0425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 8)L$8rJ
                              • API String ID: 3519838083-896068166
                              • Opcode ID: 31b7b83379da487e0b0fee470bf6f7791c36dd68afdddb73284a070326b97c38
                              • Instruction ID: 699975d3504479b13105b6b5988dcf304d36be09f3f18ea2c105ad2cb3d0bd13
                              • Opcode Fuzzy Hash: 31b7b83379da487e0b0fee470bf6f7791c36dd68afdddb73284a070326b97c38
                              • Instruction Fuzzy Hash: BEF01776A04114EFC700CF98C949ADEBBA8EF56354F14846AF405A7311C7B89A04CBA5
                              Function 6C8BA4CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prologctype
                              • String ID: \~J
                              • API String ID: 3037903784-3176329776
                              • Opcode ID: 46757733936a42b96b936dd1dab949ec9d96d52f22713a54e894f9e80fe70f1d
                              • Instruction ID: 21c8f33ac24935000eccdd3b7ad9a042f73b243611045b9e1be0d2ac4bdcc8ae
                              • Opcode Fuzzy Hash: 46757733936a42b96b936dd1dab949ec9d96d52f22713a54e894f9e80fe70f1d
                              • Instruction Fuzzy Hash: 5FE0ED32A09125ABDB388F4CC910BEEF3A4EF54B18F10842E9022B3B41CBB1AC008680
                              Function 6C8B6431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prologctype
                              • String ID: |zJ
                              • API String ID: 3037903784-3782439380
                              • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                              • Instruction ID: eece216031bf3e64360f4ca399ecd33759f0053eb1667562bc4a388c1a310bed
                              • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                              • Instruction Fuzzy Hash: 56E06532605521ABE7289B4DDA01B9EF3A4FF54718F11446F9012F7B45CFB1A9148691
                              Function 6C8BC0DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C8BC0E0
                                • Part of subcall function 6C8BC14B: __EH_prolog.LIBCMT ref: 6C8BC150
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: J$0J
                              • API String ID: 3519838083-2882003284
                              • Opcode ID: 235f570c22735095cf226f139ec23b8166c83fec4b7bd0089cfa702e7a6a385e
                              • Instruction ID: 0792cf689b112fb310e59242e9100f915967e3589ead2bb70151350e261203f0
                              • Opcode Fuzzy Hash: 235f570c22735095cf226f139ec23b8166c83fec4b7bd0089cfa702e7a6a385e
                              • Instruction Fuzzy Hash: 82F0C4B0901B55CFC724DF59D91428ABBF0FB15708B50C92F80AA97B10D7B8A548CFA8
                              Function 6C8AD143 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prologctype
                              • String ID: <oJ
                              • API String ID: 3037903784-2791053824
                              • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                              • Instruction ID: c81419d248fc32cd4a14a3faedc1dfb261294f898690c9f4362923df7e51fc7d
                              • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                              • Instruction Fuzzy Hash: 76E0ED32A05110ABDB249F8CC910BDEF7A8EF55718F11042FA422A7B52CBB1E801CA80
                              Function 6C8E24AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @ K$DJ$T)K$X/K
                              • API String ID: 0-3815299647
                              • Opcode ID: dac98d89fb1dd2bd8a0dcac61504098bca9fe61148d739192528eb0bc1c541c2
                              • Instruction ID: f1ea4fb4ad39b9371dc6e3b299c5475d60a6ed37623dac2d07a47caad95c0c34
                              • Opcode Fuzzy Hash: dac98d89fb1dd2bd8a0dcac61504098bca9fe61148d739192528eb0bc1c541c2
                              • Instruction Fuzzy Hash: 9F91B5306053069BCB34DF69CB547EE77A2AF4B30CF104C29C8655BB82DB79A949C761
                              Function 6C8D7E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: D)K$H)K$P)K$T)K
                              • API String ID: 0-2262112463
                              • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                              • Instruction ID: cd738ed42c3ef417861e8b5e37881a67424e68c37073c2273e7f07b903b7fadb
                              • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                              • Instruction Fuzzy Hash: F351923191420A9BCF30DF98DA40AEEB7B1EF0531CF104C2AE85167A95EB75AD49C7A1
                              Function 6C8F7F20 Relevance: 5.0, Strings: 4, Instructions: 27COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: (?K$8?K$H?K$CK
                              • API String ID: 0-3450752836
                              • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                              • Instruction ID: ecf4433731ec990998909bc9f5895fc7c194ceb72906922b507b481b8afc9278
                              • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                              • Instruction Fuzzy Hash: 13F01DB06017009ED3208F05D54869BB7F4EB51759F50C91EE19A97A40D3BCE5088FA8
                              Function 6C8E0AAC Relevance: 5.0, Strings: 4, Instructions: 23COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2217810173.000000006C87B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C87B000, based on PE: true
                              • Associated: 00000006.00000002.2218780263.000000006C946000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2218881640.000000006C94C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c6c0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: 00K$@0K$P0K$`0K
                              • API String ID: 0-1070766156
                              • Opcode ID: 7efb1c77604c1d1a2dcd35be8e9d5171401199da8c632a149feb581716eb9edd
                              • Instruction ID: cc08c49e7cab151d94aeeb036fe5aa8110f11b29cf5188a6292b857041db77c5
                              • Opcode Fuzzy Hash: 7efb1c77604c1d1a2dcd35be8e9d5171401199da8c632a149feb581716eb9edd
                              • Instruction Fuzzy Hash: 2DF03FB14152408FD348DF1A9598A82BFE0AF95319B56C1DED0184F276C3B9CA48CFA8