Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe

Overview

General Information

Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe
renamed because original name is a hash value
Original sample name:_1.1.5.exe
Analysis ID:1580554
MD5:03ea7f971fc545436e2e3dc7dcb4b3ce
SHA1:6bf3648177bdf3c058370ff1b1497941e57d97f4
SHA256:cd2784184b63ef5c32bb840092c2eb00a4f52ef8ec0ea8ef23277dce0c2d9a12
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Sigma detected: Use Short Name Path in Command Line
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • svchost.exe (PID: 6128 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 4100 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe (PID: 6452 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" MD5: 03EA7F971FC545436E2E3DC7DCB4B3CE)
    • #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp (PID: 7044 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$103E6,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" MD5: 0C60D7DFC89698F75CB7C33C3D3DFF44)
      • powershell.exe (PID: 6412 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 5504 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe (PID: 1260 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" /VERYSILENT MD5: 03EA7F971FC545436E2E3DC7DCB4B3CE)
        • #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp (PID: 7196 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$3040C,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" /VERYSILENT MD5: 0C60D7DFC89698F75CB7C33C3D3DFF44)
          • 7zr.exe (PID: 7272 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 7356 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 6028 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 516 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 4944 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 1836 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cmd.exe (PID: 7240 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7256 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7436 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7452 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7468 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7488 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7576 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7592 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7644 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7660 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7712 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7728 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7780 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7796 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7848 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7864 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7940 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7956 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8012 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8028 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8064 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8076 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8132 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8148 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5996 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6128 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7044 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1916 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2056 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1168 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3020 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3268 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1888 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1268 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2236 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4240 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6124 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7320 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7328 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7324 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1476 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2412 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3968 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7372 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7396 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7384 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7476 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7536 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7568 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7556 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7636 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$103E6,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, ParentProcessId: 7044, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6412, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7240, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7256, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$103E6,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, ParentProcessId: 7044, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6412, ProcessName: powershell.exe
Sigma detected: Use Short Name Path in Command Line
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$103E6,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$103E6,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, NewProcessName: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, OriginalFileName: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, ParentCommandLine: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe", ParentImage: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, ParentProcessId: 6452, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$103E6,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" , ProcessId: 7044, ProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7240, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7256, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$103E6,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, ParentProcessId: 7044, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6412, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 6128, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\is-FHQKN.tmp\update.vbcReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\is-KT081.tmp\update.vbcReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeVirustotal: Detection: 9%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 86.6% probability
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 00000013.00000003.1409632791.0000000003570000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 00000013.00000003.1409772337.0000000003770000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.19.dr
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C92E090 FindFirstFileA,FindClose,FindClose,13_2_6C92E090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00196868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,17_2_00196868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00197496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,17_2_00197496
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: time.windows.com
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000003.1369604216.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, 7zr.exe.13.dr, update.vbc.13.dr, hrsw.vbc.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000003.1369604216.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, 7zr.exe.13.dr, update.vbc.13.dr, hrsw.vbc.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000003.1369604216.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, 7zr.exe.13.dr, update.vbc.13.dr, hrsw.vbc.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000003.1369604216.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, 7zr.exe.13.dr, update.vbc.13.dr, hrsw.vbc.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000003.1369604216.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, 7zr.exe.13.dr, update.vbc.13.dr, hrsw.vbc.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000003.1369604216.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, 7zr.exe.13.dr, update.vbc.13.dr, hrsw.vbc.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000003.1369604216.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, 7zr.exe.13.dr, update.vbc.13.dr, hrsw.vbc.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000003.1369604216.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, 7zr.exe.13.dr, update.vbc.13.dr, hrsw.vbc.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000003.1369604216.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, 7zr.exe.13.dr, update.vbc.13.dr, hrsw.vbc.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000003.1369604216.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, 7zr.exe.13.dr, update.vbc.13.dr, hrsw.vbc.13.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000003.1369604216.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, 7zr.exe.13.dr, update.vbc.13.dr, hrsw.vbc.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000003.1369604216.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, 7zr.exe.13.dr, update.vbc.13.dr, hrsw.vbc.13.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000003.1369604216.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, 7zr.exe.13.dr, update.vbc.13.dr, hrsw.vbc.13.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000003.1369604216.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, 7zr.exe.13.dr, update.vbc.13.dr, hrsw.vbc.13.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000003.1369604216.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, 7zr.exe.13.dr, update.vbc.13.dr, hrsw.vbc.13.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000003.1369604216.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, 7zr.exe.13.dr, update.vbc.13.dr, hrsw.vbc.13.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000003.1369604216.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, 7zr.exe.13.dr, update.vbc.13.dr, hrsw.vbc.13.drString found in binary or memory: http://ocsp.digicert.com0X
Source: svchost.exe, 00000000.00000002.1371897527.0000024343813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000003.1369604216.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, 7zr.exe.13.dr, update.vbc.13.dr, hrsw.vbc.13.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000003.1369604216.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.7.dr, 7zr.exe.13.dr, update.vbc.13.dr, hrsw.vbc.13.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: svchost.exe, 00000000.00000002.1372066142.0000024343858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371115626.0000024343857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000000.00000003.1369709986.0000024343861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372105527.0000024343862000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000003.1370752396.0000024343859000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369709986.0000024343861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372146611.0000024343870000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369925667.000002434385E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1367327983.000002434386E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371467572.0000024343865000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000002.1372146611.0000024343870000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1367327983.000002434386E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000000.00000002.1372066142.0000024343858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371115626.0000024343857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000000.00000002.1372128534.0000024343868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369679180.0000024343867000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000000.00000002.1372146611.0000024343870000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1367327983.000002434386E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000000.00000002.1372066142.0000024343858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371115626.0000024343857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000003.1370752396.0000024343859000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369709986.0000024343861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371467572.0000024343865000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000002.1372066142.0000024343858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371115626.0000024343857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000000.00000002.1372128534.0000024343868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369679180.0000024343867000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371971016.000002434382B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000000.00000002.1372066142.0000024343858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371115626.0000024343857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000000.00000002.1372066142.0000024343858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371115626.0000024343857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000000.00000002.1372066142.0000024343858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371115626.0000024343857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000000.00000003.1369709986.0000024343861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371467572.0000024343865000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371971016.000002434382B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000000.00000003.1370922051.0000024343841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372017310.0000024343842000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000000.00000002.1372066142.0000024343858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371115626.0000024343857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000003.1369709986.0000024343861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372105527.0000024343862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1370922051.0000024343841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372017310.0000024343842000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000000.00000002.1371992475.0000024343833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000002.1372017310.0000024343842000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000003.1369709986.0000024343861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372105527.0000024343862000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000000.00000003.1369925667.000002434385E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000003.1370922051.0000024343841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372017310.0000024343842000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tp
Source: svchost.exe, 00000000.00000003.1369980810.000002434385C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371467572.0000024343865000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000000.00000002.1372066142.0000024343858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371115626.0000024343857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1263854548.0000024343836000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000002.1372128534.0000024343868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369679180.0000024343867000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371971016.000002434382B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: svchost.exe, 00000000.00000003.1370922051.0000024343841000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000000.00000002.1372017310.0000024343842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371270009.0000024343831000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371992475.0000024343833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000002.1371992475.0000024343833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000003.1369980810.000002434385C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000000.00000002.1371971016.000002434382B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000002.1372066142.0000024343858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371115626.0000024343857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000000.00000003.1369709986.0000024343861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372105527.0000024343862000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, 00000002.00000003.1269491921.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, 00000002.00000003.1269931946.000000007EDCB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000000.1272433979.00000000008B1000.00000020.00000001.01000000.00000005.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000000.1372850787.00000000006FD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.2.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.12.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, 00000002.00000003.1269491921.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, 00000002.00000003.1269931946.000000007EDCB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000000.1272433979.00000000008B1000.00000020.00000001.01000000.00000005.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000000.1372850787.00000000006FD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.2.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.12.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: update.vbc.7.drStatic PE information: section name: .aQ#
Source: update.vbc.13.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.13.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C938810 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,13_2_6C938810
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C7B3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,13_2_6C7B3886
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C7B3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,13_2_6C7B3C62
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C939450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,13_2_6C939450
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C7B3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,13_2_6C7B3D62
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C7B3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,13_2_6C7B3D18
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C7B39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,13_2_6C7B39CF
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C7B3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,13_2_6C7B3A6A
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C7B1950: CreateFileA,DeviceIoControl,CloseHandle,13_2_6C7B1950
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C7B4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,13_2_6C7B4754
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C7B475413_2_6C7B4754
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6CB18D1213_2_6CB18D12
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6CA84F0A13_2_6CA84F0A
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6CAA388113_2_6CAA3881
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6CB0B06F13_2_6CB0B06F
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C93486013_2_6C934860
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C93A13313_2_6C93A133
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6CA47A4613_2_6CA47A46
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6CABCB3013_2_6CABCB30
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6CA08D9013_2_6CA08D90
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9E6D5013_2_6C9E6D50
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9BAD4313_2_6C9BAD43
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9ECE8013_2_6C9ECE80
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9C4F1113_2_6C9C4F11
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9D889F13_2_6C9D889F
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9FA8C813_2_6C9FA8C8
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9EC9F013_2_6C9EC9F0
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9E4AA013_2_6C9E4AA0
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9E0AD013_2_6C9E0AD0
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9E2A5013_2_6C9E2A50
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C98840A13_2_6C98840A
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9F25C013_2_6C9F25C0
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9B25EC13_2_6C9B25EC
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9EC6E013_2_6C9EC6E0
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9DE65013_2_6C9DE650
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6CA0264013_2_6CA02640
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6CA067C013_2_6CA067C0
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6CA0C70013_2_6CA0C700
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C98609213_2_6C986092
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9F205013_2_6C9F2050
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9EA1F013_2_6C9EA1F0
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9F028013_2_6C9F0280
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9F038013_2_6C9F0380
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C999CE013_2_6C999CE0
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6CA07DE013_2_6CA07DE0
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9E9D1013_2_6C9E9D10
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C96BEA113_2_6C96BEA1
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C985EC913_2_6C985EC9
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9F1EF013_2_6C9F1EF0
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9BDEEF13_2_6C9BDEEF
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9B789613_2_6C9B7896
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9FF8D013_2_6C9FF8D0
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9E181013_2_6C9E1810
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9F982013_2_6C9F9820
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6CA0787013_2_6CA07870
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6CA0999913_2_6CA09999
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9E990013_2_6C9E9900
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9FD93013_2_6C9FD930
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9FB95013_2_6C9FB950
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C96B97213_2_6C96B972
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9F7AA013_2_6C9F7AA0
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9C3A5213_2_6C9C3A52
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9DDB9013_2_6C9DDB90
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C973BCA13_2_6C973BCA
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6CA01BC013_2_6CA01BC0
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C983B6613_2_6C983B66
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9F748913_2_6C9F7489
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9CB4AC13_2_6C9CB4AC
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9F14D013_2_6C9F14D0
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9EF58013_2_6C9EF580
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9E558013_2_6C9E5580
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9E75D013_2_6C9E75D0
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9D552113_2_6C9D5521
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9FB52013_2_6C9FB520
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6CA076C013_2_6CA076C0
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6CA0160013_2_6CA01600
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9F97A013_2_6C9F97A0
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C96F7CF13_2_6C96F7CF
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6CA097C013_2_6CA097C0
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9CF7F313_2_6C9CF7F3
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9F10E013_2_6C9F10E0
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9E302013_2_6C9E3020
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9FF2A013_2_6C9FF2A0
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9FB20013_2_6C9FB200
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9F675013_2_6C9F6750
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C9F9AF013_2_6C9F9AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_001D81EC17_2_001D81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_002181C017_2_002181C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0022824017_2_00228240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0020425017_2_00204250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0022C3C017_2_0022C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_002204C817_2_002204C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0020865017_2_00208650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_001E094317_2_001E0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0020C95017_2_0020C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00208C2017_2_00208C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00220E0017_2_00220E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00224EA017_2_00224EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0021D08917_2_0021D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_001F10AC17_2_001F10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0022112017_2_00221120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0021518017_2_00215180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_002291C017_2_002291C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0020D1D017_2_0020D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0022D2C017_2_0022D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_001953CF17_2_001953CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_001F53F317_2_001F53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0022D47017_2_0022D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_001DD49617_2_001DD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_002254D017_2_002254D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0019157217_2_00191572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0022155017_2_00221550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_001E965217_2_001E9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0021D6A017_2_0021D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_001A976617_2_001A9766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_001997CA17_2_001997CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0022D9E017_2_0022D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00191AA117_2_00191AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00215E8017_2_00215E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00215F8017_2_00215F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_001AE00A17_2_001AE00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_002122E017_2_002122E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0023230017_2_00232300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_001FE49F17_2_001FE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_002125F017_2_002125F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0020A6A017_2_0020A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_002066D017_2_002066D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0022E99017_2_0022E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00212A8017_2_00212A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_001EAB1117_2_001EAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00216CE017_2_00216CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_002170D017_2_002170D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_001FB12117_2_001FB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0020B18017_2_0020B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0022720017_2_00227200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0021F3A017_2_0021F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0022F3C017_2_0022F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_001BB3E417_2_001BB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0021F42017_2_0021F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0020741017_2_00207410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0022353017_2_00223530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0020F50017_2_0020F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0023351A17_2_0023351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0022F59917_2_0022F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0023360117_2_00233601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0020379017_2_00203790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_002277C017_2_002277C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_001BF8E017_2_001BF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0020F91017_2_0020F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00217AF017_2_00217AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_001ABAC917_2_001ABAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_001E3AEF17_2_001E3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00217C5017_2_00217C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_001ABC9217_2_001ABC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0020FDF017_2_0020FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 001928E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 0022FB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00191E40 appears 151 times
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: String function: 6C96C240 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: String function: 6CA09F10 appears 728 times
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.12.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.12.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.2.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, 00000002.00000000.1267798981.0000000000629000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameOT5YaHEIPi.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, 00000002.00000003.1269491921.00000000036EE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameOT5YaHEIPi.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, 00000002.00000003.1269931946.000000007F0CA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameOT5YaHEIPi.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeBinary or memory string: OriginalFileNameOT5YaHEIPi.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.19.drBinary string: \Device\TfSysMon
Source: tProtect.dll.19.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal100.evad.winEXE@125/31@1/0
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C939450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,13_2_6C939450
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00199313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,17_2_00199313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_001A3D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,17_2_001A3D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00199252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,17_2_00199252
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C938930 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,Process32NextW,13_2_6C938930
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpFile created: C:\Program Files (x86)\Windows NT\is-P6S25.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7524:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7460:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3960:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4036:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7364:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7236:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3620:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3812:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7256:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7432:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8172:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7528:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8036:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4260:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7736:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7804:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7872:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2040:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7668:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7968:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7600:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7264:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:316:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7564:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:576:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeFile created: C:\Users\user~1\AppData\Local\Temp\is-16BOC.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeVirustotal: Detection: 9%
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeJump to behavior
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp "C:\Users\user~1\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$103E6,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe"
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp "C:\Users\user~1\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$3040C,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp "C:\Users\user~1\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$103E6,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp "C:\Users\user~1\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$3040C,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: w32time.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vmictimeprovider.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeStatic file information: File size 8321941 > 1048576
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 00000013.00000003.1409632791.0000000003570000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 00000013.00000003.1409772337.0000000003770000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.19.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_002157D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,17_2_002157D0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeStatic PE information: real checksum: 0x0 should be: 0x7f6784
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.12.drStatic PE information: real checksum: 0x0 should be: 0x343670
Source: hrsw.vbc.13.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: tProtect.dll.19.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: update.vbc.7.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: update.vbc.13.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.2.drStatic PE information: real checksum: 0x0 should be: 0x343670
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.2.drStatic PE information: section name: .didata
Source: update.vbc.7.drStatic PE information: section name: .00cfg
Source: update.vbc.7.drStatic PE information: section name: .voltbl
Source: update.vbc.7.drStatic PE information: section name: .aQ#
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.12.drStatic PE information: section name: .didata
Source: 7zr.exe.13.drStatic PE information: section name: .sxdata
Source: update.vbc.13.drStatic PE information: section name: .00cfg
Source: update.vbc.13.drStatic PE information: section name: .voltbl
Source: update.vbc.13.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.13.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.13.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.13.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C93BDDB push ecx; ret 13_2_6C93BDEE
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C7E0F00 push ss; retn 0001h13_2_6C7E0F0A
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C96E9F4 push 004AC35Ch; ret 13_2_6C96EA0E
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6CA0A290 push eax; ret 13_2_6CA0A2BE
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6CA09F10 push eax; ret 13_2_6CA09F2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_001945F4 push 0023C35Ch; ret 17_2_0019460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0022FB10 push eax; ret 17_2_0022FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0022FE90 push eax; ret 17_2_0022FEBE
Source: update.vbc.7.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: update.vbc.13.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: hrsw.vbc.13.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeFile created: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-FHQKN.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-KT081.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeFile created: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-FHQKN.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-KT081.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-FHQKN.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-KT081.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\ConfigJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6388Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3389Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpWindow / User API: threadDelayed 596Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpWindow / User API: threadDelayed 613Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpWindow / User API: threadDelayed 547Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-FHQKN.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KT081.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-FHQKN.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KT081.tmp\update.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.4 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2344Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C92E090 FindFirstFileA,FindClose,FindClose,13_2_6C92E090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00196868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,17_2_00196868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00197496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,17_2_00197496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00199C60 GetSystemInfo,17_2_00199C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: svchost.exe, 00000004.00000002.1580336855.0000017AE7053000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: svchost.exe, 00000004.00000002.1580177339.0000017AE702B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000004.00000002.1580473655.0000017AE7080000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000004.00000002.1580177339.0000017AE702B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000002.1379869682.0000000000D5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}c
Source: svchost.exe, 00000004.00000002.1579944598.0000017AE7002000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000004.00000002.1580591624.0000017AE708C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000004.00000002.1580336855.0000017AE7053000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000ni
Source: svchost.exe, 0000000A.00000002.1579222692.0000020F46A24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C7B3886 NtSetInformationThread 00000000,00000011,00000000,0000000013_2_6C7B3886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C943871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_6C943871
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_002157D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,17_2_002157D0
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C94D425 mov eax, dword ptr fs:[00000030h]13_2_6C94D425
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C94D456 mov eax, dword ptr fs:[00000030h]13_2_6C94D456
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C94286D mov eax, dword ptr fs:[00000030h]13_2_6C94286D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C943871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_6C943871
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6C93C3AD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_6C93C3AD

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.19.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmpCode function: 13_2_6CA0A720 cpuid 13_2_6CA0A720
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_0019AB2A GetSystemTimeAsFileTime,17_2_0019AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00230090 GetVersion,17_2_00230090

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATEJump to behavior
Source: svchost.exe, 00000006.00000002.1580871908.0000023439902000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		2
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API		11
Windows Service		1
Access Token Manipulation		1
Deobfuscate/Decode Files or Information		LSASS Memory3
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
Command and Scripting Interpreter		Logon Script (Windows)11
Windows Service		3
Obfuscated Files or Information		Security Account Manager36
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Service Execution		Login Hook111
Process Injection		1
Software Packing		NTDS461
Security Software Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets251
Virtualization/Sandbox Evasion		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Masquerading		Cached Domain Credentials2
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items251
Virtualization/Sandbox Evasion		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Access Token Manipulation		Proc Filesystem2
System Owner/User Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
Process Injection		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580554 Sample: #U5b89#U88c5#U7a0b#U5e8f_1.... Startdate: 25/12/2024 Architecture: WINDOWS Score: 100 90 time.windows.com 2->90 92 Multi AV Scanner detection for dropped file 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 Found driver which could be used to inject code into processes 2->96 98 3 other signatures 2->98 11 #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe 2 2->11         started        14 svchost.exe 2->14         started        17 cmd.exe 2->17         started        19 30 other processes 2->19 signatures3 process4 file5 86 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, PE32 11->86 dropped 21 #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp 3 5 11->21         started        112 Changes security center settings (notifications, updates, antivirus, firewall) 14->112 25 sc.exe 1 17->25         started        27 sc.exe 1 19->27         started        29 sc.exe 1 19->29         started        31 sc.exe 1 19->31         started        33 21 other processes 19->33 signatures6 process7 file8 74 C:\Users\user\AppData\Local\...\update.vbc, PE32 21->74 dropped 76 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->76 dropped 100 Adds a directory exclusion to Windows Defender 21->100 35 #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe 2 21->35         started        38 powershell.exe 23 21->38         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 conhost.exe 33->49         started        51 conhost.exe 33->51         started        53 19 other processes 33->53 signatures9 process10 file11 72 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, PE32 35->72 dropped 55 #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp 4 15 35->55         started        102 Loading BitLocker PowerShell Module 38->102 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures12 process13 file14 78 C:\Users\user\AppData\Local\...\update.vbc, PE32 55->78 dropped 80 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 55->80 dropped 82 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->82 dropped 84 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 55->84 dropped 104 Query firmware table information (likely to detect VMs) 55->104 106 Protects its processes via BreakOnTermination flag 55->106 108 Hides threads from debuggers 55->108 110 Contains functionality to hide a thread from the debugger 55->110 63 7zr.exe 2 55->63         started        66 7zr.exe 7 55->66         started        signatures15 process16 file17 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process18

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe10%VirustotalBrowse
#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe5%ReversingLabsWin32.Ransomware.Generic

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc26%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-FHQKN.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-FHQKN.tmp\update.vbc26%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-KT081.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-KT081.tmp\update.vbc26%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://dynamic.api.tp0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
time.windows.com
unknown
unknownfalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000000.00000002.1372066142.0000024343858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371115626.0000024343857000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exefalse
        		high
        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000000.00000003.1369980810.000002434385C000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000000.00000002.1372128534.0000024343868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369679180.0000024343867000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000000.00000002.1372066142.0000024343858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371115626.0000024343857000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000000.00000003.1370922051.0000024343841000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000000.00000002.1372146611.0000024343870000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1367327983.000002434386E000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000000.00000002.1372128534.0000024343868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369679180.0000024343867000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371971016.000002434382B000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000000.00000003.1369709986.0000024343861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371467572.0000024343865000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371971016.000002434382B000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000000.00000002.1371992475.0000024343833000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000000.00000002.1372066142.0000024343858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371115626.0000024343857000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 00000000.00000003.1369925667.000002434385E000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000000.00000003.1369709986.0000024343861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372105527.0000024343862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1370922051.0000024343841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372017310.0000024343842000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000000.00000002.1372017310.0000024343842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371270009.0000024343831000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371992475.0000024343833000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/svchost.exe, 00000000.00000003.1263854548.0000024343836000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000000.00000002.1372066142.0000024343858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371115626.0000024343857000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 00000000.00000003.1369709986.0000024343861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372105527.0000024343862000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000000.00000002.1372066142.0000024343858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371115626.0000024343857000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000000.00000002.1372066142.0000024343858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371115626.0000024343857000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000000.00000003.1370752396.0000024343859000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369709986.0000024343861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372146611.0000024343870000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369925667.000002434385E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1367327983.000002434386E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371467572.0000024343865000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000000.00000002.1371971016.000002434382B000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000000.00000002.1372017310.0000024343842000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000000.00000003.1370922051.0000024343841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372017310.0000024343842000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://dynamic.tsvchost.exe, 00000000.00000003.1369980810.000002434385C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371467572.0000024343865000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.remobjects.com/ps#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, 00000002.00000003.1269491921.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, 00000002.00000003.1269931946.000000007EDCB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000000.1272433979.00000000008B1000.00000020.00000001.01000000.00000005.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000000.1372850787.00000000006FD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.2.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.12.drfalse
                                                      		high
                                                      https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000000.00000002.1372066142.0000024343858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371115626.0000024343857000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.innosetup.com/#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, 00000002.00000003.1269491921.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, 00000002.00000003.1269931946.000000007EDCB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 00000007.00000000.1272433979.00000000008B1000.00000020.00000001.01000000.00000005.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp, 0000000D.00000000.1372850787.00000000006FD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.2.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp.12.drfalse
                                                          		high
                                                          https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000000.00000002.1372066142.0000024343858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371115626.0000024343857000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=svchost.exe, 00000000.00000003.1369709986.0000024343861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372105527.0000024343862000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000000.00000003.1369709986.0000024343861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372105527.0000024343862000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.bingmapsportal.comsvchost.exe, 00000000.00000002.1371897527.0000024343813000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000000.00000002.1372066142.0000024343858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371115626.0000024343857000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000000.00000003.1370752396.0000024343859000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369709986.0000024343861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371467572.0000024343865000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000000.00000002.1372128534.0000024343868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1369679180.0000024343867000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371971016.000002434382B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://dynamic.api.tpsvchost.exe, 00000000.00000003.1370922051.0000024343841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372017310.0000024343842000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000000.00000002.1372146611.0000024343870000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1367327983.000002434386E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000000.00000002.1371992475.0000024343833000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high

                                                                            World Map of Contacted IPs

                                                                            No contacted IP infos

                                                                            General Information

                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                            Analysis ID:1580554
                                                                            Start date and time:2024-12-25 04:42:34 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 10m 19s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Run name:Run with higher sleep bypass
                                                                            Number of analysed new started processes analysed:96
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Critical Process Termination
                                                                            Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe
                                                                            renamed because original name is a hash value
                                                                            Original Sample Name:_1.1.5.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.evad.winEXE@125/31@1/0
                                                                            EGA Information:
                                                                            • Successful, ratio: 100%
                                                                            HCA Information:
                                                                            • Successful, ratio: 74%
                                                                            • Number of executed functions: 27
                                                                            • Number of non-executed functions: 115
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe
                                                                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                            • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe
                                                                            • Excluded IPs from analysis (whitelisted): 40.81.94.65, 13.107.246.63, 20.12.23.50
                                                                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, twc.trafficmanager.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            No simulations

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            No context

                                                                            Domains

                                                                            No context

                                                                            ASNs

                                                                            No context

                                                                            JA3 Fingerprints

                                                                            No context

                                                                            Dropped Files

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeGet hashmaliciousUnknownBrowse
                                                                              #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
                                                                                #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
                                                                                  #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeGet hashmaliciousUnknownBrowse
                                                                                    #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeGet hashmaliciousUnknownBrowse
                                                                                      #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeGet hashmaliciousUnknownBrowse
                                                                                        #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
                                                                                          #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
                                                                                            #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse

                                                                                              Created / dropped Files

                                                                                              C:\Program Files (x86)\Windows NT\7zr.exe

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):831200
                                                                                              Entropy (8bit):6.671005303304742
                                                                                              Encrypted:false
                                                                                              SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                                                                              MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                                                                              SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                                                                              SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                                                                              SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Joe Sandbox View:
                                                                                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, Detection: malicious, Browse
                                                                                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, Detection: malicious, Browse
                                                                                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, Detection: malicious, Browse
                                                                                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, Detection: malicious, Browse
                                                                                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe, Detection: malicious, Browse
                                                                                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, Detection: malicious, Browse
                                                                                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, Detection: malicious, Browse
                                                                                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, Detection: malicious, Browse
                                                                                              • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                                                                                              C:\Program Files (x86)\Windows NT\file.dat (copy)

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):2464593
                                                                                              Entropy (8bit):7.999917259281929
                                                                                              Encrypted:true
                                                                                              SSDEEP:49152:P0SaJ6osCkJL5tzvEfxLicWE/IWRHkLkGdlU9+cYtf5awt1dnyu7SC5Huzs:9aJ545tgfxLzrAGHk9dGEprDyPCas
                                                                                              MD5:5665C80102B80E65A502C6D9080E5F30
                                                                                              SHA1:966E306CEC6A9C1D523C7B006730B2B6CDCF041B
                                                                                              SHA-256:136452C453F7CCE33EB4BE3664EF16B6A1FA45B0348F6C5C90B1AF50253FA378
                                                                                              SHA-512:67551869A5A09EB2407D0F17631233ED937A1A455BA6F006DA39411590385191420456A66CCE4550CD0BECBE4C421A206C4E5E2DC1C4849C3640FAD1C59BA6F3
                                                                                              Malicious:false
                                                                                              Preview:.@S......4..f..............8.P.7.....g...7bP.Z.U...J....{V.z.!}9.uF.`B..KK/......'..<....*'.~m....,..\.....u...noQ7..(.[E.........C^.........bw.:J..m.F..+.rqJ..F.......^).D.y..].4.^.&It.m.y 9..X.;.....C..G.*..(..2-...H.9.&..E..}.x.'.X.K...`.I...v....Y.a.i...O..3.....l._u..B....f...u.z..Y.R.....+-(.>.K.P...1o8B.Y.t...j ...@..C3h.|1?".....Q....R....;Z..O.......4...G....NK.....73........3...c..Rt....)c1.(....-*k.b.9(.(...X..#..."....B.93......"?..U..WQF...7gd..@#0.9..r..0..M........^..r......&....[>.<..HC... r.:..2.....FF!(...p(....B.U......,..i.8_......W*..Qje\Qqy.(.$.d.Jb..l.....$1y.9..((.S....!..p...Z4."...A8.Yh..!1.....A..L.G.sJ.r..(.<.....#{.-.........u?F..^n.D}r..,.o.e.%....GHd.)....SH..r..v..!..N...i.>,....io..j.v.M.aBm...r..1..+....`..h..:.$..G.r.S,)2U.]y'/.!.]...[I7.S..W...R.:........;.~..z....#.p..Yl!.dC...;.G$C.....)<..'<.W..;:6...h%.._..U.s.C.%.=..h.T..>.s.%..~....=..Av......d*....]GL...!....G...Yv...c2'......k...]...

                                                                                              C:\Program Files (x86)\Windows NT\hrsw.vbc

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):3621376
                                                                                              Entropy (8bit):7.006090025798393
                                                                                              Encrypted:false
                                                                                              SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                                                                              MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                                                                              SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                                                                              SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                                                                              SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 26%
                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                                                                              C:\Program Files (x86)\Windows NT\is-P6S25.tmp

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):2464593
                                                                                              Entropy (8bit):7.999917259281929
                                                                                              Encrypted:true
                                                                                              SSDEEP:49152:P0SaJ6osCkJL5tzvEfxLicWE/IWRHkLkGdlU9+cYtf5awt1dnyu7SC5Huzs:9aJ545tgfxLzrAGHk9dGEprDyPCas
                                                                                              MD5:5665C80102B80E65A502C6D9080E5F30
                                                                                              SHA1:966E306CEC6A9C1D523C7B006730B2B6CDCF041B
                                                                                              SHA-256:136452C453F7CCE33EB4BE3664EF16B6A1FA45B0348F6C5C90B1AF50253FA378
                                                                                              SHA-512:67551869A5A09EB2407D0F17631233ED937A1A455BA6F006DA39411590385191420456A66CCE4550CD0BECBE4C421A206C4E5E2DC1C4849C3640FAD1C59BA6F3
                                                                                              Malicious:false
                                                                                              Preview:.@S......4..f..............8.P.7.....g...7bP.Z.U...J....{V.z.!}9.uF.`B..KK/......'..<....*'.~m....,..\.....u...noQ7..(.[E.........C^.........bw.:J..m.F..+.rqJ..F.......^).D.y..].4.^.&It.m.y 9..X.;.....C..G.*..(..2-...H.9.&..E..}.x.'.X.K...`.I...v....Y.a.i...O..3.....l._u..B....f...u.z..Y.R.....+-(.>.K.P...1o8B.Y.t...j ...@..C3h.|1?".....Q....R....;Z..O.......4...G....NK.....73........3...c..Rt....)c1.(....-*k.b.9(.(...X..#..."....B.93......"?..U..WQF...7gd..@#0.9..r..0..M........^..r......&....[>.<..HC... r.:..2.....FF!(...p(....B.U......,..i.8_......W*..Qje\Qqy.(.$.d.Jb..l.....$1y.9..((.S....!..p...Z4."...A8.Yh..!1.....A..L.G.sJ.r..(.<.....#{.-.........u?F..^n.D}r..,.o.e.%....GHd.)....SH..r..v..!..N...i.>,....io..j.v.M.aBm...r..1..+....`..h..:.$..G.r.S,)2U.]y'/.!.]...[I7.S..W...R.:........;.~..z....#.p..Yl!.dC...;.G$C.....)<..'<.W..;:6...h%.._..U.s.C.%.=..h.T..>.s.%..~....=..Av......d*....]GL...!....G...Yv...c2'......k...]...

                                                                                              C:\Program Files (x86)\Windows NT\locale.bin

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):56546
                                                                                              Entropy (8bit):7.99649875797771
                                                                                              Encrypted:true
                                                                                              SSDEEP:768:sb8XvBZD6GgA/25XpkGDFHCVyzXlRtJYGxCY5xsyevZNW8nCIxb6mEZn86wgl9S4:U85H+DkGDNlVRbY4fOyejDOm08qM4
                                                                                              MD5:63BC99440A59F5BF0269A532923C30C0
                                                                                              SHA1:2605520D843F91A10555A64CDDC151542FD0BEC8
                                                                                              SHA-256:C1E21ACF158CFE838B9DA76FF2E503F64826E188FECCDCFA21AB5A93F32364DB
                                                                                              SHA-512:82B5BD2E321601D745D0B05D6C2DF7E044ED4949CA8749B9C344E3C7CB11DB10213734E85D68CC58218857DDA7999364E045AD7DD9EAA0D787B0820524ABAB43
                                                                                              Malicious:false
                                                                                              Preview:.@S....VP .l ..............S...>^.dV.7..j=.d.-...T9....U{Ru.E..f...n..UOm....g.2Q.....8I<..o.}CY6E...E-..1..W..r..H.........Ki..}.]...x.o...a.4V........B[...,.W.b.R.z0eus..Nd.)5.5{..h.(b....<. .-.]..~g..p.sX.W.?.`^..i....W....Pjt...J.%.,Z.....K...}.....Le#>..J.I.=.%..S...+..*...Z.&..5|.b..z.....s..._..Sgc..#BB.]C/... ..>$^..J.+7.o.F..n.Ei..s.....FO.O...0..4...-Q/.._.d$%.w6.vsp@'&aR....a.*m.x...d..Q.......-......... W..1a+0....l.H.F.M..y.......3..lM....m....|%..h...:v..IVwoUu../p..'...#.;~7..4Y.q...b..]...B...... m.1%..B.>.....)..m....1-#C.1..........g=qzn-I..\$.b8^......l%.GZ..=]..9c...-...iz..y....YxB.:....#..c...I_..#.)w...2...9P.=.!.@.Z0..&..+.&..zY=7.../......|.......|...ax.h4jw.#..!u.X..fSV.(..Q.L..d.z..l.m...".7.iz...z.\....E...../.L.j....P...+..8.v.........E.5dUB..oH..o...$.Z..),......._..o&..3.v.([.._.....%7....]?..HrQ..;....&..%.eP#!Q...o56.^.XA.R~&......(J.2Y..6......j+..-.......$.Q...k....8.a..f.^M..t.....7......]~...R..W.(^..0.E...9..

                                                                                              C:\Program Files (x86)\Windows NT\locale.dat

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                                                                                              File Type:7-zip archive data, version 0.4
                                                                                              Category:dropped
                                                                                              Size (bytes):56546
                                                                                              Entropy (8bit):7.99649875797771
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:uFIdls0DaY1g+3AIL4yMiOqFqgqKjSnwe0aw33XFjSUjG:uFYsu7A5q0j5kLjG
                                                                                              MD5:409CFE53DF3C253AE76242E5CBA8BB14
                                                                                              SHA1:623529513EDAA659BB927D5ED7E790E48018A316
                                                                                              SHA-256:B30B90D8AD7FA7AB74EBE50FDFC1AEA6AD4ABC89AA9F7659B9C9182B1308CDC7
                                                                                              SHA-512:B1843D231088701C1683A41A45C5548F1F5EAD83F8BCFE1964170CFA1252911DC0C1FBEB780462377F4F976EC8730867B531C4298EBB94E92D6B14A85E70185C
                                                                                              Malicious:false
                                                                                              Preview:7z..'..............2........Z.!.P..b..>..y........s..^.....5."sT.dcf.7....&Q.D.....r.:..Ls.?o....TXT..yz.%<.MO..'T.)eN..Tn.O+.....;..;.w..'....wO_.l%/..h..?...z.k....3e!..;....b*.s.dJ=..$...Z.Q...d..X......Q..T..G.J...W.m"...8.|"d...,.iT....RP....R.(.....I.}.`...-"..=.....23..9..D.......Q..!4...S..........,T...q...j ...7K....U...W..Ea.]...e6.....(..Q...}...v......@..x........&n...B.G..jp0M<..9B.Y*..ke:d}&."..0di.IRP.n.......@.6..c..K..C.Y.=......*pi.......d....{..........!.\>.........8.t.kX.P`.BR.a^Z....\..=..:.N.(....I.. .....q..1.w-:A~9.7...............Y3."...{......T..{<:.O....E$^.rGJx...M....V.(..,.e.\v...kN...:D}.......'.....Y....pA....l._.Q.0.G...l.PuM...D....>.VA...Kt.....4..7.RG.L.wv..vEY.f.l..d......<....K...q...q..j8.`'.....Q.?.B-../.%......"..;e..\1....54..p*.W..W.$*..,+.:a.$....L.R....$()r...vc....F...cy.84.......Ti.....9..)....../...T..u.u...Z...z..^x.}3...J.Z&?.x...P.R.r.....NZ..5.x!...^(-$..'.....$.b.\..V.T}....

                                                                                              C:\Program Files (x86)\Windows NT\locale2.bin

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):56546
                                                                                              Entropy (8bit):7.996966859255975
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                                                                              MD5:CEA69F993E1CE0FB945A98BF37A66546
                                                                                              SHA1:7114365265F041DA904574D1F5876544506F89BA
                                                                                              SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                                                                              SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                                                                              Malicious:false
                                                                                              Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                                                                                              C:\Program Files (x86)\Windows NT\locale2.dat

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                                                                                              File Type:7-zip archive data, version 0.4
                                                                                              Category:dropped
                                                                                              Size (bytes):56546
                                                                                              Entropy (8bit):7.996966859255979
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                                                                              MD5:4CB8B7E557C80FC7B014133AB834A042
                                                                                              SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                                                                              SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                                                                              SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                                                                              Malicious:false
                                                                                              Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                                                                                              C:\Program Files (x86)\Windows NT\locale3.bin

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):31890
                                                                                              Entropy (8bit):7.99402458740637
                                                                                              Encrypted:true
                                                                                              SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                                                                              MD5:8622FC7228777F64A47BD6C61478ADD9
                                                                                              SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                                                                              SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                                                                              SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                                                                              Malicious:false
                                                                                              Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                                                                                              C:\Program Files (x86)\Windows NT\locale3.dat

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                                                                                              File Type:7-zip archive data, version 0.4
                                                                                              Category:dropped
                                                                                              Size (bytes):31890
                                                                                              Entropy (8bit):7.99402458740637
                                                                                              Encrypted:true
                                                                                              SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                                                                              MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                                                                              SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                                                                              SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                                                                              SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                                                                              Malicious:false
                                                                                              Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                                                                                              C:\Program Files (x86)\Windows NT\locale4.bin

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):74960
                                                                                              Entropy (8bit):7.99759370165655
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                                                                              MD5:950338D50B95A25F494EE74E97B7B7A9
                                                                                              SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                                                                              SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                                                                              SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                                                                              Malicious:false
                                                                                              Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                                                                                              C:\Program Files (x86)\Windows NT\locale4.dat

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                                                                                              File Type:7-zip archive data, version 0.4
                                                                                              Category:dropped
                                                                                              Size (bytes):74960
                                                                                              Entropy (8bit):7.997593701656546
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                                                                              MD5:059BA7C31F3E227356CA5F29E4AA2508
                                                                                              SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                                                                              SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                                                                              SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                                                                              Malicious:false
                                                                                              Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                                                                                              C:\Program Files (x86)\Windows NT\locale7.bin

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):29730
                                                                                              Entropy (8bit):7.994290657653607
                                                                                              Encrypted:true
                                                                                              SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                                                                              MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                                                                              SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                                                                              SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                                                                              SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                                                                              Malicious:false
                                                                                              Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                                                                                              C:\Program Files (x86)\Windows NT\locale7.dat

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                                                                                              File Type:7-zip archive data, version 0.4
                                                                                              Category:modified
                                                                                              Size (bytes):29730
                                                                                              Entropy (8bit):7.994290657653608
                                                                                              Encrypted:true
                                                                                              SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                                                                              MD5:A9C8A3E00692F79E1BA9693003F85D18
                                                                                              SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                                                                              SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                                                                              SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                                                                              Malicious:false
                                                                                              Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                                                                                              C:\Program Files (x86)\Windows NT\res.dat

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                                                                                              File Type:7-zip archive data, version 0.4
                                                                                              Category:dropped
                                                                                              Size (bytes):2464593
                                                                                              Entropy (8bit):7.999917259281932
                                                                                              Encrypted:true
                                                                                              SSDEEP:49152:WYPvFRd5ZMtePny2zkkc8Q84KToeHHzc0U8XZgqdFYUGYvErIXSn4:xV9KQnRzN4Kk+c0U8p0UG4in4
                                                                                              MD5:A9393518652F0990369819A8337C6AD0
                                                                                              SHA1:8A7E8D860DC6B115999CDCD9FFD39A05F952FF90
                                                                                              SHA-256:0161FBB85C030FCDCC6205E0CF84F22536022278316B7386CC4F899AEFEE6AA6
                                                                                              SHA-512:2A57D44F791A3DA95E610FC189DFCFB2EA0D652B6BFB0885FFE31A198D5A66F2E90847466ACA4016E7E02E9061FA6590F90AC2E7A371E50328087038CFCF55FD
                                                                                              Malicious:false
                                                                                              Preview:7z..'...l+.O.%.....A........q.+.jRB..<Z....m....yy..M..]..*.`........PS...N..6..I..7Z..4:B_..R..<..dB..(..n.5B..).N......[... .p%.......;..4.p....a{.,..W..:n.=....J.....y.:........%g.z..]..>R......{.M...e.N.pa...........z9(.1.o.ee.....d.M.;c...d.}..BW...1[db.~.5..4.V.....4_<.r......me6..jT..>..+./I.vwO.r...z.\.E..x...c.R...x...a.Z/..2R....cC..Y`D.(:..]X.X.........;.$.A...4./..6..md...H..A9DL$.;SxT.o.[.....d...... .|.._.......,.P.(....H...L..i.U..S.a.Z0..E...b...........q.'..^2.....-.. Ao...z..rt.S3P.%tJ.d..#..!..(U...2F....W'.........^:...@.B-,.'...Fbt".p..*.n.M....+5...........D..z_..-...Z..%.lF..W..l./.oY.uic....fqU..q..rH.....KHz..ra.l. ....9o..~.z1.aW...h\l.,..eE..u"..a...4..H.:w.......P...S.{a.V...XJ,[..E..a..M...?.,..N2A.g...R8.c.q...0.m.o.....R.|\.]"..n..., .{.J....x......F.9R.W...G.d;n....X.{.....3m-H.....x..Bo..,.LH...?...........@h\..*..._..i..... ..&.b....-._...\D.e.m...(.,2...>..e{..O:.X$A...uCB}...|z!..<E!.n.y..m8)....k.....@...? .

                                                                                              C:\Program Files (x86)\Windows NT\tProtect.dll

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                              File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):63640
                                                                                              Entropy (8bit):6.482810107683822
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                                                                              MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                                                                              SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                                                                              SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                                                                              SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 9%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                                                                                              C:\Program Files (x86)\Windows NT\task.xml

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                                                                                              File Type:ASCII text
                                                                                              Category:dropped
                                                                                              Size (bytes):4096
                                                                                              Entropy (8bit):3.353156097045723
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:dXKLzDlnmL6w0QldOVQOj933ODOiTdKbKsz72eW+5yF:dXazDlnbwhldOVQOj6dKbKsz7
                                                                                              MD5:721C2B05051A486EE8150BCB1ABF0673
                                                                                              SHA1:63B69C5AEA5EDB0E9BB0FB88D9F47F2BD05AAB26
                                                                                              SHA-256:76207BAE1387CF8E7A205F34EB8FEE94E36D2A701CE305B64764B86AF6C18684
                                                                                              SHA-512:F3D59295059DB2D7653E64CE1A7414030A284120B62159C90D4B5DA24678E3D01CCC6997FF07BCD6616DCED47FF3B317A838E612E67D979B39C090C9ABED943B
                                                                                              Malicious:false
                                                                                              Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\turminoob</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNe

                                                                                              C:\Program Files (x86)\Windows NT\trash

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):2214437
                                                                                              Entropy (8bit):7.999922872901766
                                                                                              Encrypted:true
                                                                                              SSDEEP:49152:fclXNksaGnc2RfxA3C66xl58vuoM4Ho07R6+KqAK1d2nxNd7qglRhKT:fCXNikmy66xcml4HoCR6+KRK1CLtA
                                                                                              MD5:099001127986641A6CFAD5AE7BE891A8
                                                                                              SHA1:6D7BD2CE74297577C979AB8C58740A4AD5112C55
                                                                                              SHA-256:7DD7150DE32E90C9A417F4748E1282CA270B546945F34ACF2A3243B786902248
                                                                                              SHA-512:83FCCE63039B8D5AE10653D8439499A82474B8F7534FBB09F2A672E3D8B11561E1CE154456FD22C241E71D84DD253FC62ADBAE3B67744B0E151DFF707D40B4F3
                                                                                              Malicious:false
                                                                                              Preview:.W..........9).?PR].h........D?. .Y."......M....m......H..(...Z!....[A.....-x...:.`.~....J.Lx7.m.w.b.H+..Y}......w66V...y.Y..J..^.!z.!.........uq.U.Eq..P........1...4.........x.b.p...h..{...>.>..~...[....U...._.%.....q....M4..Q..6'L..e..$S......h.o..w...#...%.}.=......i.zn.L.....|...*R....00..4T;.!...V.'V..^F..p...E.'M.x..fd.h'(.`..}.).....^........Jf@..2k.LQ&....lu.Z7c.0....g.=T.}^...Y.Nry.b.............[.d~.-<.>..>.._.t...K.AU!.j.........?E|_Hx.....d...a.[...".ni.._.U...!..R...R.Z&...I...Y......r...$.....V8.q..|.....*y.8..P....4o.EG.... .......iQ7...=.bK.7iz...N.Z$U.a.Q.Z..9...8>..J.........z0.)g.W;..r.Y9.C..O.....~..q. ...=%z..J.I%.....!Q........B;...WM4.......e..c......u......\.q..<...U;.x........oN..}....R".\.....2.6.V2..?9..vl.dka.X....j.K.7..z.NI....;.C.j. ...@....v..;.....1.....r.2,.t..H...7:...s.3.`6.(J!W.Oi..b.Vr..LsI4.O.....(.^.!6..m.5..v?..+."H..+...-.....I.%...X..s4....u..g..<eQ..g....".........S..{.....#d$s........OUH

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):64
                                                                                              Entropy (8bit):1.1628158735648508
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Nllluldhz/lL:NllU
                                                                                              MD5:03744CE5681CB7F5E53A02F19FA22067
                                                                                              SHA1:234FB09010F6714453C83795D8CF3250D871D4DF
                                                                                              SHA-256:88348573B57BA21639837E3AF19A00B4D7889E2D8E90A923151AC022D2946E5D
                                                                                              SHA-512:0C05D6047DBA2286F8F72EB69A69919DC5650F96E8EE759BA9B3FC10BE793F3A88408457E700936BCACA02816CE25DD53F48B962491E7F4F0A4A534D88A855E6
                                                                                              Malicious:false
                                                                                              Preview:@...e.................................L..............@..........

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3gv2cm03.lkj.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_diwyazev.lz4.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nb1gksga.kgs.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvgdyxs0.35b.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe
                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                              Category:modified
                                                                                              Size (bytes):3366912
                                                                                              Entropy (8bit):6.530557407809864
                                                                                              Encrypted:false
                                                                                              SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                                                                              MD5:0C60D7DFC89698F75CB7C33C3D3DFF44
                                                                                              SHA1:2456CDD682D6A25EB97E65F087ED2F9EE5A46EE7
                                                                                              SHA-256:76D8A8B8E3E5B039D4C8916B2BAA572D6C3BCD679A8EE100B97C0AEF39C983B1
                                                                                              SHA-512:12273188E8AA10A1F4753A4D4D2E35116E855EA6D7D39A201D1B58073E1C79EF9521B2C4EE7A218B8B0974974AB3DBE84148B45CBE0D8845557889BEC5413CE0
                                                                                              Malicious:true
                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                                                                              C:\Users\user\AppData\Local\Temp\is-FHQKN.tmp\_isetup\_setup64.tmp

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):6144
                                                                                              Entropy (8bit):4.720366600008286
                                                                                              Encrypted:false
                                                                                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                              MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                              SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                              SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                              SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\is-FHQKN.tmp\update.vbc

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                              Category:modified
                                                                                              Size (bytes):3621376
                                                                                              Entropy (8bit):7.006090025798393
                                                                                              Encrypted:false
                                                                                              SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                                                                              MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                                                                              SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                                                                              SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                                                                              SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 26%
                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe
                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                              Category:modified
                                                                                              Size (bytes):3366912
                                                                                              Entropy (8bit):6.530557407809864
                                                                                              Encrypted:false
                                                                                              SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                                                                              MD5:0C60D7DFC89698F75CB7C33C3D3DFF44
                                                                                              SHA1:2456CDD682D6A25EB97E65F087ED2F9EE5A46EE7
                                                                                              SHA-256:76D8A8B8E3E5B039D4C8916B2BAA572D6C3BCD679A8EE100B97C0AEF39C983B1
                                                                                              SHA-512:12273188E8AA10A1F4753A4D4D2E35116E855EA6D7D39A201D1B58073E1C79EF9521B2C4EE7A218B8B0974974AB3DBE84148B45CBE0D8845557889BEC5413CE0
                                                                                              Malicious:true
                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                                                                              C:\Users\user\AppData\Local\Temp\is-KT081.tmp\_isetup\_setup64.tmp

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):6144
                                                                                              Entropy (8bit):4.720366600008286
                                                                                              Encrypted:false
                                                                                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                              MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                              SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                              SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                              SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\is-KT081.tmp\update.vbc

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):3621376
                                                                                              Entropy (8bit):7.006090025798393
                                                                                              Encrypted:false
                                                                                              SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                                                                              MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                                                                              SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                                                                              SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                                                                              SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 26%
                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                                                                              \Device\ConDrv

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                              File Type:ASCII text, with CRLF, CR line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):406
                                                                                              Entropy (8bit):5.117520345541057
                                                                                              Encrypted:false
                                                                                              SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                                                                              MD5:9200058492BCA8F9D88B4877F842C148
                                                                                              SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                                                                              SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                                                                              SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                                                                              Malicious:false
                                                                                              Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                              Entropy (8bit):7.956955410854398
                                                                                              TrID:
                                                                                              • Win32 Executable (generic) a (10002005/4) 98.04%
                                                                                              • Inno Setup installer (109748/4) 1.08%
                                                                                              • InstallShield setup (43055/19) 0.42%
                                                                                              • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                              File name:#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe
                                                                                              File size:8'321'941 bytes
                                                                                              MD5:03ea7f971fc545436e2e3dc7dcb4b3ce
                                                                                              SHA1:6bf3648177bdf3c058370ff1b1497941e57d97f4
                                                                                              SHA256:cd2784184b63ef5c32bb840092c2eb00a4f52ef8ec0ea8ef23277dce0c2d9a12
                                                                                              SHA512:9405c3a94401f260ea35d80edf24eaf0fdeb9f8ae2449146c97d1ff51721e4812dd02d195336d3b3072afc1c7f1980794f3e2bdbc5860893520fe59025f189b5
                                                                                              SSDEEP:196608:lk0HqMrtTdrZEQyhgfrA6rcml1Eb/oae9UuYaFBX:lk0K6rKQyhM4mlecNUuYar
                                                                                              TLSH:A1862322F2CBE03EE05E0B3B16B2B15454FB6A116522BD568AECB4ECCF351901D3E657
                                                                                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                              File Icon

                                                                                              Icon Hash:0c0c2d33ceec80aa

                                                                                              Static PE Info

                                                                                              General

                                                                                              Entrypoint:0x4a83bc
                                                                                              Entrypoint Section:.itext
                                                                                              Digitally signed:false
                                                                                              Imagebase:0x400000
                                                                                              Subsystem:windows gui
                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                              Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                                                                              TLS Callbacks:
                                                                                              CLR (.Net) Version:
                                                                                              OS Version Major:6
                                                                                              OS Version Minor:1
                                                                                              File Version Major:6
                                                                                              File Version Minor:1
                                                                                              Subsystem Version Major:6
                                                                                              Subsystem Version Minor:1
                                                                                              Import Hash:40ab50289f7ef5fae60801f88d4541fc

                                                                                              Entrypoint Preview

                                                                                              Instruction
                                                                                              push ebp
                                                                                              mov ebp, esp
                                                                                              add esp, FFFFFFA4h
                                                                                              push ebx
                                                                                              push esi
                                                                                              push edi
                                                                                              xor eax, eax
                                                                                              mov dword ptr [ebp-3Ch], eax
                                                                                              mov dword ptr [ebp-40h], eax
                                                                                              mov dword ptr [ebp-5Ch], eax
                                                                                              mov dword ptr [ebp-30h], eax
                                                                                              mov dword ptr [ebp-38h], eax
                                                                                              mov dword ptr [ebp-34h], eax
                                                                                              mov dword ptr [ebp-2Ch], eax
                                                                                              mov dword ptr [ebp-28h], eax
                                                                                              mov dword ptr [ebp-14h], eax
                                                                                              mov eax, 004A2EBCh
                                                                                              call 00007FDDF0F8A2B5h
                                                                                              xor eax, eax
                                                                                              push ebp
                                                                                              push 004A8AC1h
                                                                                              push dword ptr fs:[eax]
                                                                                              mov dword ptr fs:[eax], esp
                                                                                              xor edx, edx
                                                                                              push ebp
                                                                                              push 004A8A7Bh
                                                                                              push dword ptr fs:[edx]
                                                                                              mov dword ptr fs:[edx], esp
                                                                                              mov eax, dword ptr [004B0634h]
                                                                                              call 00007FDDF101BC3Bh
                                                                                              call 00007FDDF101B78Eh
                                                                                              lea edx, dword ptr [ebp-14h]
                                                                                              xor eax, eax
                                                                                              call 00007FDDF1016468h
                                                                                              mov edx, dword ptr [ebp-14h]
                                                                                              mov eax, 004B41F4h
                                                                                              call 00007FDDF0F84363h
                                                                                              push 00000002h
                                                                                              push 00000000h
                                                                                              push 00000001h
                                                                                              mov ecx, dword ptr [004B41F4h]
                                                                                              mov dl, 01h
                                                                                              mov eax, dword ptr [0049CD14h]
                                                                                              call 00007FDDF1017793h
                                                                                              mov dword ptr [004B41F8h], eax
                                                                                              xor edx, edx
                                                                                              push ebp
                                                                                              push 004A8A27h
                                                                                              push dword ptr fs:[edx]
                                                                                              mov dword ptr fs:[edx], esp
                                                                                              call 00007FDDF101BCC3h
                                                                                              mov dword ptr [004B4200h], eax
                                                                                              mov eax, dword ptr [004B4200h]
                                                                                              cmp dword ptr [eax+0Ch], 01h
                                                                                              jne 00007FDDF10229AAh
                                                                                              mov eax, dword ptr [004B4200h]
                                                                                              mov edx, 00000028h
                                                                                              call 00007FDDF1018088h
                                                                                              mov edx, dword ptr [004B4200h]

                                                                                              Data Directories

                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                              Sections

                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                              .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                              .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                              .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                              .rsrc0xcb0000x110000x110004f47b74c29e20ebd47a1e32e38e1dbeaFalse0.18768669577205882data3.722210548314605IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                              Resources

                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                              RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                                                                              RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                                                                              RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                                                                              RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                                                                              RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                                                                              RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                                                                              RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                                                                              RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                                                                              RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                                                                              RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                                                                              RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                                                                              RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                                                                              RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                                                                              RT_STRING0xd8e000x3f8data0.3198818897637795
                                                                                              RT_STRING0xd91f80x2dcdata0.36475409836065575
                                                                                              RT_STRING0xd94d40x430data0.40578358208955223
                                                                                              RT_STRING0xd99040x44cdata0.38636363636363635
                                                                                              RT_STRING0xd9d500x2d4data0.39226519337016574
                                                                                              RT_STRING0xda0240xb8data0.6467391304347826
                                                                                              RT_STRING0xda0dc0x9cdata0.6410256410256411
                                                                                              RT_STRING0xda1780x374data0.4230769230769231
                                                                                              RT_STRING0xda4ec0x398data0.3358695652173913
                                                                                              RT_STRING0xda8840x368data0.3795871559633027
                                                                                              RT_STRING0xdabec0x2a4data0.4275147928994083
                                                                                              RT_RCDATA0xdae900x10data1.5
                                                                                              RT_RCDATA0xdaea00x310data0.6173469387755102
                                                                                              RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                                                                                              RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                                                                              RT_VERSION0xdb2980x584dataEnglishUnited States0.2754957507082153
                                                                                              RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                                                                              Imports

                                                                                              DLLImport
                                                                                              kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                                                              comctl32.dllInitCommonControls
                                                                                              user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                                                              oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                                                              advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                                                                                              Exports

                                                                                              NameOrdinalAddress
                                                                                              __dbk_fcall_wrapper20x40fc10
                                                                                              dbkFCallWrapperAddr10x4b063c

                                                                                              Possible Origin

                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                              EnglishUnited States

                                                                                              Network Behavior

                                                                                              Network Port Distribution

                                                                                              UDP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 25, 2024 04:43:35.282078981 CET6372553192.168.2.71.1.1.1

                                                                                              DNS Queries

                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                              Dec 25, 2024 04:43:35.282078981 CET192.168.2.71.1.1.10xda05Standard query (0)time.windows.comA (IP address)IN (0x0001)false

                                                                                              DNS Answers

                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                              Dec 25, 2024 04:43:35.418936014 CET1.1.1.1192.168.2.70xda05No error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false

                                                                                              Statistics

                                                                                              CPU Usage

                                                                                              Click to jump to process

                                                                                              Memory Usage

                                                                                              Click to jump to process

                                                                                              High Level Behavior Distribution

                                                                                              Click to dive into process behavior distribution

                                                                                              Behavior

                                                                                              Click to jump to process

                                                                                              System Behavior

                                                                                              General

                                                                                              Target ID:0
                                                                                              Start time:22:43:29
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                              File size:55'320 bytes
                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:1
                                                                                              Start time:22:43:29
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\SgrmBroker.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                              Imagebase:0x7ff7939f0000
                                                                                              File size:329'504 bytes
                                                                                              MD5 hash:3BA1A18A0DC30A0545E7765CB97D8E63
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:2
                                                                                              Start time:22:43:29
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe"
                                                                                              Imagebase:0x570000
                                                                                              File size:8'321'941 bytes
                                                                                              MD5 hash:03EA7F971FC545436E2E3DC7DCB4B3CE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:Borland Delphi
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:3
                                                                                              Start time:22:43:29
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                              File size:55'320 bytes
                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:4
                                                                                              Start time:22:43:29
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                              File size:55'320 bytes
                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:6
                                                                                              Start time:22:43:30
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                              File size:55'320 bytes
                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:7
                                                                                              Start time:22:43:30
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Users\user\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user~1\AppData\Local\Temp\is-16BOC.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$103E6,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe"
                                                                                              Imagebase:0x8b0000
                                                                                              File size:3'366'912 bytes
                                                                                              MD5 hash:0C60D7DFC89698F75CB7C33C3D3DFF44
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:Borland Delphi
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:8
                                                                                              Start time:22:43:30
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                                                                              Imagebase:0x7ff741d30000
                                                                                              File size:452'608 bytes
                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:9
                                                                                              Start time:22:43:30
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:10
                                                                                              Start time:22:43:34
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                              File size:55'320 bytes
                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:11
                                                                                              Start time:22:43:35
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                              Imagebase:0x7ff7fb730000
                                                                                              File size:496'640 bytes
                                                                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:12
                                                                                              Start time:22:43:39
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" /VERYSILENT
                                                                                              Imagebase:0x7ff7b4ee0000
                                                                                              File size:8'321'941 bytes
                                                                                              MD5 hash:03EA7F971FC545436E2E3DC7DCB4B3CE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:Borland Delphi
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:13
                                                                                              Start time:22:43:40
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Users\user\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user~1\AppData\Local\Temp\is-HSAQ8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.tmp" /SL5="$3040C,7367538,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe" /VERYSILENT
                                                                                              Imagebase:0x480000
                                                                                              File size:3'366'912 bytes
                                                                                              MD5 hash:0C60D7DFC89698F75CB7C33C3D3DFF44
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:Borland Delphi
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:14
                                                                                              Start time:22:43:42
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:15
                                                                                              Start time:22:43:42
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:16
                                                                                              Start time:22:43:42
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:17
                                                                                              Start time:22:43:42
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                                                                              Imagebase:0x190000
                                                                                              File size:831'200 bytes
                                                                                              MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Antivirus matches:
                                                                                              • Detection: 0%, ReversingLabs
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:18
                                                                                              Start time:22:43:42
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:19
                                                                                              Start time:22:43:43
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                                                                              Imagebase:0x190000
                                                                                              File size:831'200 bytes
                                                                                              MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:20
                                                                                              Start time:22:43:43
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:21
                                                                                              Start time:22:43:44
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:22
                                                                                              Start time:22:43:44
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:23
                                                                                              Start time:22:43:44
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:24
                                                                                              Start time:22:43:44
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:25
                                                                                              Start time:22:43:44
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:26
                                                                                              Start time:22:43:44
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:27
                                                                                              Start time:22:43:44
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:28
                                                                                              Start time:22:43:44
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:29
                                                                                              Start time:22:43:44
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:30
                                                                                              Start time:22:43:44
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:31
                                                                                              Start time:22:43:44
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:32
                                                                                              Start time:22:43:44
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:33
                                                                                              Start time:22:43:44
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:34
                                                                                              Start time:22:43:44
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:35
                                                                                              Start time:22:43:44
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:36
                                                                                              Start time:22:43:44
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:37
                                                                                              Start time:22:43:44
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:38
                                                                                              Start time:22:43:44
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:39
                                                                                              Start time:22:43:45
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:40
                                                                                              Start time:22:43:45
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:41
                                                                                              Start time:22:43:45
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:43
                                                                                              Start time:22:43:45
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:44
                                                                                              Start time:22:43:45
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:45
                                                                                              Start time:22:43:45
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:46
                                                                                              Start time:22:43:45
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:47
                                                                                              Start time:22:43:45
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:48
                                                                                              Start time:22:43:45
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:49
                                                                                              Start time:22:43:45
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:50
                                                                                              Start time:22:43:45
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:51
                                                                                              Start time:22:43:45
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:52
                                                                                              Start time:22:43:45
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:53
                                                                                              Start time:22:43:45
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:54
                                                                                              Start time:22:43:46
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:55
                                                                                              Start time:22:43:46
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:56
                                                                                              Start time:22:43:46
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:57
                                                                                              Start time:22:43:46
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:58
                                                                                              Start time:22:43:47
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:59
                                                                                              Start time:22:43:47
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:60
                                                                                              Start time:22:43:47
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:61
                                                                                              Start time:22:43:47
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:62
                                                                                              Start time:22:43:47
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:63
                                                                                              Start time:22:43:47
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:64
                                                                                              Start time:22:43:47
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:65
                                                                                              Start time:22:43:47
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:66
                                                                                              Start time:22:43:47
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:67
                                                                                              Start time:22:43:47
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:68
                                                                                              Start time:22:43:47
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:69
                                                                                              Start time:22:43:47
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:70
                                                                                              Start time:22:43:47
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:71
                                                                                              Start time:22:43:47
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:72
                                                                                              Start time:22:43:47
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:73
                                                                                              Start time:22:43:47
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:74
                                                                                              Start time:22:43:47
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:75
                                                                                              Start time:22:43:47
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:76
                                                                                              Start time:22:43:47
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:77
                                                                                              Start time:22:43:47
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:78
                                                                                              Start time:22:43:47
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:79
                                                                                              Start time:22:43:48
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:80
                                                                                              Start time:22:43:48
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:81
                                                                                              Start time:22:43:48
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:82
                                                                                              Start time:22:43:48
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:83
                                                                                              Start time:22:43:48
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:84
                                                                                              Start time:22:43:48
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:85
                                                                                              Start time:22:43:48
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:86
                                                                                              Start time:22:43:48
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:87
                                                                                              Start time:22:43:48
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:88
                                                                                              Start time:22:43:48
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:89
                                                                                              Start time:22:43:48
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:90
                                                                                              Start time:22:43:48
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:91
                                                                                              Start time:22:43:48
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:92
                                                                                              Start time:22:43:48
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:sc start CleverSoar
                                                                                              Imagebase:0x7ff72e510000
                                                                                              File size:72'192 bytes
                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:93
                                                                                              Start time:22:43:48
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:94
                                                                                              Start time:22:43:48
                                                                                              Start date:24/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:cmd /c start sc start CleverSoar
                                                                                              Imagebase:0x7ff714dc0000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              Disassembly

                                                                                              Reset < >

                                                                                                Execution Graph

                                                                                                Execution Coverage:1.3%
                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                Signature Coverage:5.2%
                                                                                                Total number of Nodes:737
                                                                                                Total number of Limit Nodes:9
                                                                                                execution_graph 97541 6c9501c3 97542 6c9501ed 97541->97542 97543 6c9501d5 __dosmaperr 97541->97543 97542->97543 97544 6c950267 97542->97544 97546 6c950238 __dosmaperr 97542->97546 97547 6c950280 97544->97547 97549 6c9502d7 __wsopen_s 97544->97549 97550 6c95029b __dosmaperr 97544->97550 97588 6c943810 18 API calls __wsopen_s 97546->97588 97548 6c950285 97547->97548 97547->97550 97576 6c9550d5 97548->97576 97582 6c947eab HeapFree GetLastError __dosmaperr 97549->97582 97581 6c943810 18 API calls __wsopen_s 97550->97581 97553 6c95042e 97556 6c9504a4 97553->97556 97559 6c950447 GetConsoleMode 97553->97559 97554 6c9502f7 97583 6c947eab HeapFree GetLastError __dosmaperr 97554->97583 97558 6c9504a8 ReadFile 97556->97558 97561 6c9504c2 97558->97561 97562 6c95051c GetLastError 97558->97562 97559->97556 97563 6c950458 97559->97563 97560 6c9502fe 97565 6c9502b2 __dosmaperr __wsopen_s 97560->97565 97584 6c94e359 20 API calls __wsopen_s 97560->97584 97561->97562 97566 6c950499 97561->97566 97562->97565 97563->97558 97564 6c95045e ReadConsoleW 97563->97564 97564->97566 97567 6c95047a GetLastError 97564->97567 97585 6c947eab HeapFree GetLastError __dosmaperr 97565->97585 97566->97565 97570 6c9504e7 97566->97570 97571 6c9504fe 97566->97571 97567->97565 97586 6c9505ee 23 API calls 3 library calls 97570->97586 97571->97565 97573 6c950515 97571->97573 97587 6c9508a6 21 API calls __wsopen_s 97573->97587 97575 6c95051a 97575->97565 97577 6c9550e2 97576->97577 97579 6c9550ef 97576->97579 97577->97553 97578 6c9550fb 97578->97553 97579->97578 97589 6c943810 18 API calls __wsopen_s 97579->97589 97581->97565 97582->97554 97583->97560 97584->97548 97585->97543 97586->97565 97587->97575 97588->97543 97589->97577 97590 6c7b4b53 97748 6c93a133 97590->97748 97592 6c7b4b5c _Yarn 97762 6c92e090 97592->97762 97594 6c7d639e 97855 6c943820 18 API calls 2 library calls 97594->97855 97596 6c7b4cff 97597 6c7b5164 CreateFileA CloseHandle 97602 6c7b51ec 97597->97602 97598 6c7b4bae std::ios_base::_Ios_base_dtor 97598->97594 97598->97596 97598->97597 97599 6c7c245a _Yarn _strlen 97598->97599 97599->97594 97600 6c92e090 2 API calls 97599->97600 97615 6c7c2a83 std::ios_base::_Ios_base_dtor 97600->97615 97768 6c938810 OpenSCManagerA 97602->97768 97604 6c7bfc00 97847 6c938930 CreateToolhelp32Snapshot 97604->97847 97607 6c93a133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 97643 6c7b5478 std::ios_base::_Ios_base_dtor _Yarn _strlen 97607->97643 97609 6c7c37d0 Sleep 97654 6c7c37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 97609->97654 97610 6c92e090 2 API calls 97610->97643 97611 6c7d63b2 97856 6c7b15e0 18 API calls std::ios_base::_Ios_base_dtor 97611->97856 97612 6c938930 4 API calls 97630 6c7c053a 97612->97630 97614 6c938930 4 API calls 97639 6c7c12e2 97614->97639 97615->97594 97772 6c920880 97615->97772 97616 6c7d64f8 97617 6c7bffe3 97617->97612 97621 6c7c0abc 97617->97621 97618 6c7d6ba0 104 API calls 97618->97643 97619 6c7d6e60 32 API calls 97619->97643 97621->97599 97621->97614 97623 6c938930 4 API calls 97623->97621 97624 6c7b6722 97823 6c934860 25 API calls 4 library calls 97624->97823 97625 6c7c211c 97625->97599 97629 6c7c241a 97625->97629 97626 6c938930 4 API calls 97645 6c7c1dd9 97626->97645 97627 6c92e090 2 API calls 97627->97654 97631 6c920880 10 API calls 97629->97631 97630->97621 97630->97623 97632 6c7c244d 97631->97632 97853 6c939450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 97632->97853 97634 6c7c2452 Sleep 97634->97599 97635 6c7c16ac 97636 6c7b6162 97637 6c7b740b 97824 6c9386e0 CreateProcessA 97637->97824 97639->97625 97639->97626 97639->97635 97640 6c938930 4 API calls 97640->97625 97643->97594 97643->97604 97643->97607 97643->97610 97643->97618 97643->97619 97643->97624 97643->97636 97809 6c7d7090 97643->97809 97822 6c7fe010 67 API calls 97643->97822 97644 6c7d7090 77 API calls 97644->97654 97645->97625 97645->97640 97647 6c7b775a _strlen 97647->97594 97648 6c7b7ba9 97647->97648 97649 6c7b7b92 97647->97649 97652 6c7b7b43 _Yarn 97647->97652 97651 6c93a133 std::_Facet_Register 4 API calls 97648->97651 97650 6c93a133 std::_Facet_Register 4 API calls 97649->97650 97650->97652 97651->97652 97653 6c92e090 2 API calls 97652->97653 97662 6c7b7be7 std::ios_base::_Ios_base_dtor 97653->97662 97654->97594 97654->97627 97654->97644 97780 6c7d6ba0 97654->97780 97799 6c7d6e60 97654->97799 97854 6c7fe010 67 API calls 97654->97854 97655 6c9386e0 4 API calls 97666 6c7b8a07 97655->97666 97656 6c7b9d68 97658 6c93a133 std::_Facet_Register 4 API calls 97656->97658 97657 6c7b9d7f 97659 6c93a133 std::_Facet_Register 4 API calls 97657->97659 97660 6c7b9d18 _Yarn 97658->97660 97659->97660 97661 6c92e090 2 API calls 97660->97661 97671 6c7b9dbd std::ios_base::_Ios_base_dtor 97661->97671 97662->97594 97662->97655 97663 6c7b962c _strlen 97662->97663 97664 6c7b8387 97662->97664 97663->97594 97663->97656 97663->97657 97663->97660 97665 6c9386e0 4 API calls 97674 6c7b9120 97665->97674 97666->97665 97667 6c9386e0 4 API calls 97684 6c7ba215 _strlen 97667->97684 97668 6c9386e0 4 API calls 97670 6c7b9624 97668->97670 97669 6c93a133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 97675 6c7be8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 97669->97675 97828 6c939450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 97670->97828 97671->97594 97671->97667 97671->97675 97673 6c92e090 2 API calls 97673->97675 97674->97668 97675->97594 97675->97669 97675->97673 97676 6c7bed02 Sleep 97675->97676 97677 6c7bf7b1 97675->97677 97696 6c7be8c1 97676->97696 97846 6c939450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 97677->97846 97679 6c7be8dd GetCurrentProcess TerminateProcess 97679->97675 97680 6c7ba9bb 97683 6c93a133 std::_Facet_Register 4 API calls 97680->97683 97681 6c7ba9a4 97682 6c93a133 std::_Facet_Register 4 API calls 97681->97682 97691 6c7ba953 _Yarn _strlen 97682->97691 97683->97691 97684->97594 97684->97680 97684->97681 97684->97691 97685 6c9386e0 4 API calls 97685->97696 97686 6c7bfbb8 97687 6c7bfbe8 ExitWindowsEx Sleep 97686->97687 97687->97604 97688 6c7bf7c0 97688->97686 97689 6c7bb009 97693 6c93a133 std::_Facet_Register 4 API calls 97689->97693 97690 6c7baff0 97692 6c93a133 std::_Facet_Register 4 API calls 97690->97692 97691->97611 97691->97689 97691->97690 97694 6c7bafa0 _Yarn 97691->97694 97692->97694 97693->97694 97829 6c939050 97694->97829 97696->97675 97696->97679 97696->97685 97697 6c7bb42c 97700 6c93a133 std::_Facet_Register 4 API calls 97697->97700 97698 6c7bb443 97701 6c93a133 std::_Facet_Register 4 API calls 97698->97701 97699 6c7bb059 std::ios_base::_Ios_base_dtor _strlen 97699->97594 97699->97697 97699->97698 97702 6c7bb3da _Yarn _strlen 97699->97702 97700->97702 97701->97702 97702->97611 97703 6c7bb79e 97702->97703 97704 6c7bb7b7 97702->97704 97707 6c7bb751 _Yarn 97702->97707 97705 6c93a133 std::_Facet_Register 4 API calls 97703->97705 97706 6c93a133 std::_Facet_Register 4 API calls 97704->97706 97705->97707 97706->97707 97708 6c939050 104 API calls 97707->97708 97709 6c7bb804 std::ios_base::_Ios_base_dtor _strlen 97708->97709 97709->97594 97710 6c7bbc0f 97709->97710 97711 6c7bbc26 97709->97711 97714 6c7bbbbd _Yarn _strlen 97709->97714 97712 6c93a133 std::_Facet_Register 4 API calls 97710->97712 97713 6c93a133 std::_Facet_Register 4 API calls 97711->97713 97712->97714 97713->97714 97714->97611 97715 6c7bc08e 97714->97715 97716 6c7bc075 97714->97716 97719 6c7bc028 _Yarn 97714->97719 97718 6c93a133 std::_Facet_Register 4 API calls 97715->97718 97717 6c93a133 std::_Facet_Register 4 API calls 97716->97717 97717->97719 97718->97719 97720 6c939050 104 API calls 97719->97720 97721 6c7bc0db std::ios_base::_Ios_base_dtor _strlen 97720->97721 97721->97594 97722 6c7bc7bc 97721->97722 97723 6c7bc7a5 97721->97723 97732 6c7bc753 _Yarn _strlen 97721->97732 97725 6c93a133 std::_Facet_Register 4 API calls 97722->97725 97724 6c93a133 std::_Facet_Register 4 API calls 97723->97724 97724->97732 97725->97732 97726 6c7bd3ed 97728 6c93a133 std::_Facet_Register 4 API calls 97726->97728 97727 6c7bd406 97729 6c93a133 std::_Facet_Register 4 API calls 97727->97729 97730 6c7bd39a _Yarn 97728->97730 97729->97730 97731 6c939050 104 API calls 97730->97731 97733 6c7bd458 std::ios_base::_Ios_base_dtor _strlen 97731->97733 97732->97611 97732->97726 97732->97727 97732->97730 97738 6c7bcb2f 97732->97738 97733->97594 97734 6c7bd8bb 97733->97734 97735 6c7bd8a4 97733->97735 97739 6c7bd852 _Yarn _strlen 97733->97739 97737 6c93a133 std::_Facet_Register 4 API calls 97734->97737 97736 6c93a133 std::_Facet_Register 4 API calls 97735->97736 97736->97739 97737->97739 97739->97611 97740 6c7bdccf 97739->97740 97741 6c7bdcb6 97739->97741 97744 6c7bdc69 _Yarn 97739->97744 97743 6c93a133 std::_Facet_Register 4 API calls 97740->97743 97742 6c93a133 std::_Facet_Register 4 API calls 97741->97742 97742->97744 97743->97744 97745 6c939050 104 API calls 97744->97745 97747 6c7bdd1c std::ios_base::_Ios_base_dtor 97745->97747 97746 6c9386e0 4 API calls 97746->97675 97747->97594 97747->97746 97750 6c93a138 97748->97750 97749 6c93a152 97749->97592 97750->97749 97753 6c93a154 std::_Facet_Register 97750->97753 97857 6c942704 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 97750->97857 97752 6c93afb3 std::_Facet_Register 97861 6c93ca69 RaiseException 97752->97861 97753->97752 97858 6c93ca69 RaiseException 97753->97858 97755 6c93b7ac IsProcessorFeaturePresent 97761 6c93b7d1 97755->97761 97757 6c93af73 97859 6c93ca69 RaiseException 97757->97859 97759 6c93af93 std::invalid_argument::invalid_argument 97860 6c93ca69 RaiseException 97759->97860 97761->97592 97763 6c92e0a6 FindFirstFileA 97762->97763 97764 6c92e0a4 97762->97764 97765 6c92e0e0 97763->97765 97764->97763 97766 6c92e0e2 FindClose 97765->97766 97767 6c92e13c 97765->97767 97766->97765 97767->97598 97769 6c938846 97768->97769 97770 6c9388be OpenServiceA 97769->97770 97771 6c938922 97769->97771 97770->97769 97771->97643 97774 6c920893 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 97772->97774 97773 6c924e71 CloseHandle 97773->97774 97774->97773 97775 6c7c37cb 97774->97775 97776 6c923bd1 CloseHandle 97774->97776 97778 6c90cea0 WriteFile ReadFile WriteFile WriteFile 97774->97778 97862 6c90c390 97774->97862 97779 6c939450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 97775->97779 97776->97774 97778->97774 97779->97609 97781 6c7d6bd5 97780->97781 97873 6c802020 97781->97873 97783 6c7d6c68 97784 6c93a133 std::_Facet_Register 4 API calls 97783->97784 97785 6c7d6ca0 97784->97785 97890 6c93aa17 97785->97890 97787 6c7d6cb4 97902 6c801d90 97787->97902 97790 6c7d6d8e 97790->97654 97792 6c7d6dc8 97910 6c8026e0 24 API calls 4 library calls 97792->97910 97794 6c7d6dda 97911 6c93ca69 RaiseException 97794->97911 97796 6c7d6def 97912 6c7fe010 67 API calls 97796->97912 97798 6c7d6e0f 97798->97654 97800 6c7d6e9f 97799->97800 97803 6c7d6eb3 97800->97803 98302 6c803560 32 API calls std::_Xinvalid_argument 97800->98302 97806 6c7d6f5b 97803->97806 98304 6c802250 30 API calls 97803->98304 98305 6c8026e0 24 API calls 4 library calls 97803->98305 98306 6c93ca69 RaiseException 97803->98306 97805 6c7d6f6e 97805->97654 97806->97805 98303 6c8037e0 32 API calls std::_Xinvalid_argument 97806->98303 97810 6c7d709e 97809->97810 97813 6c7d70d1 97809->97813 98307 6c8001f0 97810->98307 97812 6c7d7183 97812->97643 97813->97812 98311 6c802250 30 API calls 97813->98311 97816 6c944208 67 API calls 97816->97813 97817 6c7d71ae 98312 6c802340 24 API calls 97817->98312 97819 6c7d71be 98313 6c93ca69 RaiseException 97819->98313 97821 6c7d71c9 97822->97643 97823->97637 97826 6c938770 97824->97826 97825 6c9387b0 WaitForSingleObject CloseHandle CloseHandle 97825->97826 97826->97825 97827 6c9387a4 97826->97827 97827->97647 97828->97663 97830 6c9390a7 97829->97830 98359 6c9396e0 97830->98359 97832 6c9390b8 97833 6c7d6ba0 104 API calls 97832->97833 97834 6c9390dc 97833->97834 97839 6c939144 97834->97839 97845 6c939157 97834->97845 98378 6c939a30 97834->98378 98386 6c813010 97834->98386 97836 6c93918f std::ios_base::_Ios_base_dtor 98412 6c7fe010 67 API calls 97836->98412 98396 6c939280 97839->98396 97841 6c9391d2 std::ios_base::_Ios_base_dtor 97841->97699 97843 6c93914c 97844 6c7d7090 77 API calls 97843->97844 97844->97845 98411 6c7fe010 67 API calls 97845->98411 97846->97688 97852 6c938966 std::locale::_Setgloballocale 97847->97852 97848 6c938a64 Process32NextW 97848->97852 97849 6c938a14 CloseHandle 97849->97852 97850 6c938a45 Process32FirstW 97850->97852 97851 6c938a96 97851->97617 97852->97848 97852->97849 97852->97850 97852->97851 97853->97634 97854->97654 97856->97616 97857->97750 97858->97757 97859->97759 97860->97752 97861->97755 97863 6c90c3a3 _Yarn __wsopen_s std::locale::_Setgloballocale 97862->97863 97864 6c90ce3c 97863->97864 97865 6c90cab9 CreateFileA 97863->97865 97867 6c90b4d0 97863->97867 97864->97774 97865->97863 97868 6c90b4e3 __wsopen_s std::locale::_Setgloballocale 97867->97868 97869 6c90c206 WriteFile 97868->97869 97870 6c90c377 97868->97870 97871 6c90b619 WriteFile 97868->97871 97872 6c90bc23 ReadFile 97868->97872 97869->97868 97870->97863 97871->97868 97872->97868 97874 6c93a133 std::_Facet_Register 4 API calls 97873->97874 97875 6c80207e 97874->97875 97876 6c93aa17 43 API calls 97875->97876 97877 6c802092 97876->97877 97913 6c802f60 42 API calls 4 library calls 97877->97913 97879 6c8020c8 97880 6c80210d 97879->97880 97881 6c802136 97879->97881 97882 6c802120 97880->97882 97914 6c93a67e 9 API calls 2 library calls 97880->97914 97915 6c802250 30 API calls 97881->97915 97882->97783 97885 6c80215b 97916 6c802340 24 API calls 97885->97916 97887 6c802171 97917 6c93ca69 RaiseException 97887->97917 97889 6c80217c 97889->97783 97891 6c93aa23 __EH_prolog3 97890->97891 97918 6c93a5a5 97891->97918 97896 6c93aa41 97932 6c93aaaa 39 API calls std::locale::_Setgloballocale 97896->97932 97897 6c93aa9c 97897->97787 97899 6c93aa49 97933 6c93a8a1 HeapFree GetLastError _Yarn ___std_exception_destroy 97899->97933 97901 6c93aa5f 97924 6c93a5d6 97901->97924 97903 6c7d6d5d 97902->97903 97904 6c801ddc 97902->97904 97903->97790 97909 6c802250 30 API calls 97903->97909 97938 6c93ab37 97904->97938 97908 6c801e82 97909->97792 97910->97794 97911->97796 97912->97798 97913->97879 97914->97882 97915->97885 97916->97887 97917->97889 97919 6c93a5b4 97918->97919 97920 6c93a5bb 97918->97920 97934 6c943abd 6 API calls std::_Lockit::_Lockit 97919->97934 97922 6c93a5b9 97920->97922 97935 6c93bc7b EnterCriticalSection 97920->97935 97922->97901 97931 6c93a920 6 API calls 2 library calls 97922->97931 97925 6c93a5e0 97924->97925 97926 6c943acb 97924->97926 97930 6c93a5f3 97925->97930 97936 6c93bc89 LeaveCriticalSection 97925->97936 97937 6c943aa6 LeaveCriticalSection 97926->97937 97929 6c943ad2 97929->97897 97930->97897 97931->97896 97932->97899 97933->97901 97934->97922 97935->97922 97936->97930 97937->97929 97939 6c93ab40 97938->97939 97940 6c801dea 97939->97940 97947 6c94343a 97939->97947 97940->97903 97946 6c93fc53 18 API calls __wsopen_s 97940->97946 97942 6c93ab8c 97942->97940 97958 6c943148 65 API calls 97942->97958 97944 6c93aba7 97944->97940 97959 6c944208 97944->97959 97946->97908 97948 6c943445 __wsopen_s 97947->97948 97949 6c943458 97948->97949 97950 6c943478 97948->97950 97984 6c943810 18 API calls __wsopen_s 97949->97984 97954 6c943468 97950->97954 97970 6c94e4fc 97950->97970 97954->97942 97958->97944 97960 6c944214 __wsopen_s 97959->97960 97961 6c944233 97960->97961 97962 6c94421e 97960->97962 97967 6c94422e 97961->97967 98165 6c93fc99 EnterCriticalSection 97961->98165 98180 6c943810 18 API calls __wsopen_s 97962->98180 97964 6c944250 98166 6c94428c 97964->98166 97967->97940 97968 6c94425b 98181 6c944282 LeaveCriticalSection 97968->98181 97971 6c94e508 __wsopen_s 97970->97971 97986 6c943a8f EnterCriticalSection 97971->97986 97973 6c94e516 97987 6c94e5a0 97973->97987 97978 6c94e662 97979 6c94e781 97978->97979 98011 6c94e804 97979->98011 97983 6c9434bc 97985 6c9434e5 LeaveCriticalSection 97983->97985 97984->97954 97985->97954 97986->97973 97995 6c94e5c3 97987->97995 97988 6c94e523 98001 6c94e55c 97988->98001 97989 6c94e61b 98006 6c94a8d5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 97989->98006 97991 6c94e624 98007 6c947eab HeapFree GetLastError __dosmaperr 97991->98007 97994 6c94e62d 97994->97988 98008 6c94a30f 6 API calls std::_Lockit::_Lockit 97994->98008 97995->97988 97995->97989 97995->97995 98004 6c93fc99 EnterCriticalSection 97995->98004 98005 6c93fcad LeaveCriticalSection 97995->98005 97998 6c94e64c 98009 6c93fc99 EnterCriticalSection 97998->98009 98000 6c94e65f 98000->97988 98010 6c943aa6 LeaveCriticalSection 98001->98010 98003 6c943493 98003->97954 98003->97978 98004->97995 98005->97995 98006->97991 98007->97994 98008->97998 98009->98000 98010->98003 98012 6c94e823 98011->98012 98013 6c94e836 98012->98013 98014 6c94e84b 98012->98014 98027 6c943810 18 API calls __wsopen_s 98013->98027 98022 6c94e96b 98014->98022 98028 6c957598 37 API calls __wsopen_s 98014->98028 98016 6c94e797 98016->97983 98024 6c9576ce 98016->98024 98019 6c94e9bb 98019->98022 98029 6c957598 37 API calls __wsopen_s 98019->98029 98021 6c94e9d9 98021->98022 98030 6c957598 37 API calls __wsopen_s 98021->98030 98022->98016 98031 6c943810 18 API calls __wsopen_s 98022->98031 98032 6c957a86 98024->98032 98027->98016 98028->98019 98029->98021 98030->98022 98031->98016 98034 6c957a92 __wsopen_s 98032->98034 98033 6c957a99 98050 6c943810 18 API calls __wsopen_s 98033->98050 98034->98033 98035 6c957ac4 98034->98035 98041 6c9576ee 98035->98041 98040 6c9576e9 98040->97983 98052 6c943dbb 98041->98052 98047 6c957724 98048 6c957756 98047->98048 98092 6c947eab HeapFree GetLastError __dosmaperr 98047->98092 98051 6c957b1b LeaveCriticalSection __wsopen_s 98048->98051 98050->98040 98051->98040 98093 6c93f3db 98052->98093 98055 6c943ddf 98057 6c93f4e6 98055->98057 98102 6c93f53e 98057->98102 98059 6c93f4fe 98059->98047 98060 6c95775c 98059->98060 98117 6c957bdc 98060->98117 98066 6c957882 GetFileType 98069 6c9578d4 98066->98069 98070 6c95788d GetLastError 98066->98070 98067 6c95778e __dosmaperr 98067->98047 98068 6c957857 GetLastError 98068->98067 98147 6c954ea0 SetStdHandle __dosmaperr __wsopen_s 98069->98147 98146 6c9430e2 __dosmaperr 98070->98146 98071 6c957805 98071->98066 98071->98068 98145 6c957b47 CreateFileW 98071->98145 98074 6c95789b CloseHandle 98074->98067 98089 6c9578c4 98074->98089 98076 6c95784a 98076->98066 98076->98068 98077 6c9578f5 98078 6c957941 98077->98078 98148 6c957d56 70 API calls 2 library calls 98077->98148 98083 6c957948 98078->98083 98162 6c957e00 70 API calls 2 library calls 98078->98162 98081 6c957976 98082 6c957984 98081->98082 98081->98083 98082->98067 98085 6c957a00 CloseHandle 98082->98085 98149 6c94f015 98083->98149 98163 6c957b47 CreateFileW 98085->98163 98087 6c957a2b 98088 6c957a35 GetLastError 98087->98088 98087->98089 98090 6c957a41 __dosmaperr 98088->98090 98089->98067 98164 6c954e0f SetStdHandle __dosmaperr __wsopen_s 98090->98164 98092->98048 98094 6c93f3fb 98093->98094 98100 6c93f3f2 98093->98100 98095 6c9480a2 __Getctype 37 API calls 98094->98095 98094->98100 98096 6c93f41b 98095->98096 98097 6c948618 __Getctype 37 API calls 98096->98097 98098 6c93f431 98097->98098 98099 6c948645 __fassign 37 API calls 98098->98099 98099->98100 98100->98055 98101 6c94a0c5 5 API calls std::_Lockit::_Lockit 98100->98101 98101->98055 98103 6c93f566 98102->98103 98104 6c93f54c 98102->98104 98106 6c93f56d 98103->98106 98107 6c93f58c 98103->98107 98105 6c93f4cc __wsopen_s HeapFree GetLastError 98104->98105 98109 6c93f556 __dosmaperr 98105->98109 98106->98109 98110 6c93f48d __wsopen_s HeapFree GetLastError 98106->98110 98108 6c947f33 __fassign MultiByteToWideChar 98107->98108 98112 6c93f59b 98108->98112 98109->98059 98110->98109 98111 6c93f5a2 GetLastError 98111->98109 98112->98111 98113 6c93f5c8 98112->98113 98115 6c93f48d __wsopen_s HeapFree GetLastError 98112->98115 98113->98109 98114 6c947f33 __fassign MultiByteToWideChar 98113->98114 98116 6c93f5df 98114->98116 98115->98113 98116->98109 98116->98111 98118 6c957c17 98117->98118 98120 6c957bfd 98117->98120 98119 6c957b6c __wsopen_s 18 API calls 98118->98119 98123 6c957c4f 98119->98123 98120->98118 98121 6c943810 __wsopen_s 18 API calls 98120->98121 98121->98118 98122 6c957c7e 98124 6c959001 __wsopen_s 18 API calls 98122->98124 98129 6c957779 98122->98129 98123->98122 98126 6c943810 __wsopen_s 18 API calls 98123->98126 98125 6c957ccc 98124->98125 98127 6c957d49 98125->98127 98125->98129 98126->98122 98128 6c94383d __Getctype 11 API calls 98127->98128 98130 6c957d55 98128->98130 98129->98067 98131 6c954cfc 98129->98131 98132 6c954d08 __wsopen_s 98131->98132 98133 6c943a8f std::_Lockit::_Lockit EnterCriticalSection 98132->98133 98139 6c954d0f 98133->98139 98134 6c954d34 98136 6c954f32 __wsopen_s 11 API calls 98134->98136 98135 6c954e06 __wsopen_s LeaveCriticalSection 98137 6c954d76 98135->98137 98138 6c954d39 98136->98138 98137->98067 98144 6c957b47 CreateFileW 98137->98144 98141 6c955080 __wsopen_s EnterCriticalSection 98138->98141 98142 6c954d56 98138->98142 98139->98134 98140 6c954da3 EnterCriticalSection 98139->98140 98139->98142 98140->98142 98143 6c954db0 LeaveCriticalSection 98140->98143 98141->98142 98142->98135 98143->98139 98144->98071 98145->98076 98146->98074 98147->98077 98148->98078 98150 6c954c92 __wsopen_s 18 API calls 98149->98150 98151 6c94f025 98150->98151 98152 6c94f02b 98151->98152 98154 6c954c92 __wsopen_s 18 API calls 98151->98154 98161 6c94f05d 98151->98161 98153 6c954e0f __wsopen_s SetStdHandle 98152->98153 98158 6c94f083 __dosmaperr 98153->98158 98156 6c94f054 98154->98156 98155 6c954c92 __wsopen_s 18 API calls 98157 6c94f069 CloseHandle 98155->98157 98159 6c954c92 __wsopen_s 18 API calls 98156->98159 98157->98152 98160 6c94f075 GetLastError 98157->98160 98158->98067 98159->98161 98160->98152 98161->98152 98161->98155 98162->98081 98163->98087 98164->98089 98165->97964 98167 6c944299 98166->98167 98168 6c9442ae 98166->98168 98204 6c943810 18 API calls __wsopen_s 98167->98204 98172 6c9442a9 98168->98172 98182 6c9443a9 98168->98182 98172->97968 98176 6c9442d1 98197 6c94ef88 98176->98197 98178 6c9442d7 98178->98172 98205 6c947eab HeapFree GetLastError __dosmaperr 98178->98205 98180->97967 98181->97967 98183 6c9443c1 98182->98183 98184 6c9442c3 98182->98184 98183->98184 98185 6c94d350 18 API calls 98183->98185 98188 6c94be2e 98184->98188 98186 6c9443df 98185->98186 98206 6c94f25c 98186->98206 98189 6c94be45 98188->98189 98191 6c9442cb 98188->98191 98189->98191 98289 6c947eab HeapFree GetLastError __dosmaperr 98189->98289 98192 6c94d350 98191->98192 98193 6c94d371 98192->98193 98194 6c94d35c 98192->98194 98193->98176 98290 6c943810 18 API calls __wsopen_s 98194->98290 98196 6c94d36c 98196->98176 98198 6c94efae 98197->98198 98202 6c94ef99 __dosmaperr 98197->98202 98199 6c94efd5 98198->98199 98201 6c94eff7 __dosmaperr 98198->98201 98291 6c94f0b1 98199->98291 98299 6c943810 18 API calls __wsopen_s 98201->98299 98202->98178 98204->98172 98205->98172 98207 6c94f268 __wsopen_s 98206->98207 98208 6c94f2ba 98207->98208 98210 6c94f323 __dosmaperr 98207->98210 98213 6c94f270 __dosmaperr 98207->98213 98217 6c955080 EnterCriticalSection 98208->98217 98247 6c943810 18 API calls __wsopen_s 98210->98247 98211 6c94f2c0 98215 6c94f2dc __dosmaperr 98211->98215 98218 6c94f34e 98211->98218 98213->98184 98246 6c94f31b LeaveCriticalSection __wsopen_s 98215->98246 98217->98211 98219 6c94f370 98218->98219 98245 6c94f38c __dosmaperr 98218->98245 98220 6c94f3c4 98219->98220 98222 6c94f374 __dosmaperr 98219->98222 98221 6c94f3d7 98220->98221 98256 6c94e359 20 API calls __wsopen_s 98220->98256 98248 6c94f530 98221->98248 98255 6c943810 18 API calls __wsopen_s 98222->98255 98227 6c94f42c 98229 6c94f485 WriteFile 98227->98229 98230 6c94f440 98227->98230 98228 6c94f3ed 98231 6c94f416 98228->98231 98232 6c94f3f1 98228->98232 98235 6c94f4a9 GetLastError 98229->98235 98229->98245 98233 6c94f475 98230->98233 98234 6c94f44b 98230->98234 98258 6c94f5a1 43 API calls 5 library calls 98231->98258 98232->98245 98257 6c94f94b 6 API calls __wsopen_s 98232->98257 98261 6c94f9b3 7 API calls 2 library calls 98233->98261 98237 6c94f465 98234->98237 98238 6c94f450 98234->98238 98235->98245 98260 6c94fb77 8 API calls 3 library calls 98237->98260 98241 6c94f455 98238->98241 98238->98245 98259 6c94fa8e 7 API calls 2 library calls 98241->98259 98243 6c94f463 98243->98245 98245->98215 98246->98213 98247->98213 98249 6c9550d5 __wsopen_s 18 API calls 98248->98249 98250 6c94f541 98249->98250 98251 6c94f3e8 98250->98251 98262 6c9480a2 GetLastError 98250->98262 98251->98227 98251->98228 98254 6c94f57e GetConsoleMode 98254->98251 98255->98245 98256->98221 98257->98245 98258->98245 98259->98243 98260->98243 98261->98243 98263 6c9480bf 98262->98263 98264 6c9480b9 98262->98264 98265 6c94a252 __Getctype 6 API calls 98263->98265 98269 6c9480c5 SetLastError 98263->98269 98266 6c94a213 __Getctype 6 API calls 98264->98266 98267 6c9480dd 98265->98267 98266->98263 98268 6c9480e1 98267->98268 98267->98269 98270 6c94a8d5 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 98268->98270 98275 6c948153 98269->98275 98276 6c948159 98269->98276 98271 6c9480ed 98270->98271 98273 6c9480f5 98271->98273 98274 6c94810c 98271->98274 98277 6c94a252 __Getctype 6 API calls 98273->98277 98279 6c94a252 __Getctype 6 API calls 98274->98279 98275->98251 98275->98254 98278 6c9441b9 __Getctype 35 API calls 98276->98278 98280 6c948103 98277->98280 98281 6c94815e 98278->98281 98282 6c948118 98279->98282 98285 6c947eab _free HeapFree GetLastError 98280->98285 98283 6c94811c 98282->98283 98284 6c94812d 98282->98284 98286 6c94a252 __Getctype 6 API calls 98283->98286 98288 6c947eab _free HeapFree GetLastError 98284->98288 98287 6c948109 98285->98287 98286->98280 98287->98269 98288->98287 98289->98191 98290->98196 98292 6c94f0bd __wsopen_s 98291->98292 98300 6c955080 EnterCriticalSection 98292->98300 98294 6c94f0cb 98295 6c94f015 __wsopen_s 21 API calls 98294->98295 98296 6c94f0f8 98294->98296 98295->98296 98301 6c94f131 LeaveCriticalSection __wsopen_s 98296->98301 98298 6c94f11a 98298->98202 98299->98202 98300->98294 98301->98298 98302->97803 98303->97805 98304->97803 98305->97803 98306->97803 98308 6c80022e 98307->98308 98309 6c7d70c4 98308->98309 98314 6c944ecb 98308->98314 98309->97816 98311->97817 98312->97819 98313->97821 98315 6c944ef6 98314->98315 98316 6c944ed9 98314->98316 98315->98308 98316->98315 98317 6c944ee6 98316->98317 98318 6c944efa 98316->98318 98330 6c943810 18 API calls __wsopen_s 98317->98330 98322 6c9450f2 98318->98322 98323 6c9450fe __wsopen_s 98322->98323 98331 6c93fc99 EnterCriticalSection 98323->98331 98325 6c94510c 98332 6c9450af 98325->98332 98329 6c944f2c 98329->98308 98330->98315 98331->98325 98340 6c94bc96 98332->98340 98338 6c9450e9 98339 6c945141 LeaveCriticalSection 98338->98339 98339->98329 98341 6c94d350 18 API calls 98340->98341 98342 6c94bca7 98341->98342 98343 6c9550d5 __wsopen_s 18 API calls 98342->98343 98344 6c94bcad __wsopen_s 98343->98344 98345 6c9450c3 98344->98345 98357 6c947eab HeapFree GetLastError __dosmaperr 98344->98357 98347 6c944f2e 98345->98347 98349 6c944f40 98347->98349 98351 6c944f5e 98347->98351 98348 6c944f4e 98358 6c943810 18 API calls __wsopen_s 98348->98358 98349->98348 98349->98351 98354 6c944f76 _Yarn 98349->98354 98356 6c94bd49 62 API calls 98351->98356 98352 6c9443a9 62 API calls 98352->98354 98353 6c94d350 18 API calls 98353->98354 98354->98351 98354->98352 98354->98353 98355 6c94f25c __wsopen_s 62 API calls 98354->98355 98355->98354 98356->98338 98357->98345 98358->98351 98360 6c939715 98359->98360 98361 6c802020 52 API calls 98360->98361 98362 6c9397b6 98361->98362 98363 6c93a133 std::_Facet_Register 4 API calls 98362->98363 98364 6c9397ee 98363->98364 98365 6c93aa17 43 API calls 98364->98365 98366 6c939802 98365->98366 98367 6c801d90 89 API calls 98366->98367 98368 6c9398ab 98367->98368 98369 6c9398dc 98368->98369 98413 6c802250 30 API calls 98368->98413 98369->97832 98371 6c939916 98414 6c8026e0 24 API calls 4 library calls 98371->98414 98373 6c939928 98415 6c93ca69 RaiseException 98373->98415 98375 6c93993d 98416 6c7fe010 67 API calls 98375->98416 98377 6c93994f 98377->97832 98379 6c939a7d 98378->98379 98417 6c939c90 98379->98417 98381 6c939b6c 98381->97834 98383 6c939a95 98383->98381 98435 6c802250 30 API calls 98383->98435 98436 6c8026e0 24 API calls 4 library calls 98383->98436 98437 6c93ca69 RaiseException 98383->98437 98387 6c81304f 98386->98387 98394 6c813063 98387->98394 98446 6c803560 32 API calls std::_Xinvalid_argument 98387->98446 98390 6c81311e 98393 6c813131 98390->98393 98447 6c8037e0 32 API calls std::_Xinvalid_argument 98390->98447 98393->97834 98394->98390 98448 6c802250 30 API calls 98394->98448 98449 6c8026e0 24 API calls 4 library calls 98394->98449 98450 6c93ca69 RaiseException 98394->98450 98397 6c93928e 98396->98397 98398 6c9392c1 98396->98398 98399 6c8001f0 64 API calls 98397->98399 98400 6c939373 98398->98400 98451 6c802250 30 API calls 98398->98451 98401 6c9392b4 98399->98401 98400->97843 98402 6c944208 67 API calls 98401->98402 98402->98398 98404 6c93939e 98452 6c802340 24 API calls 98404->98452 98406 6c9393ae 98453 6c93ca69 RaiseException 98406->98453 98408 6c9393b9 98454 6c7fe010 67 API calls 98408->98454 98410 6c939412 std::ios_base::_Ios_base_dtor 98410->97843 98411->97836 98412->97841 98413->98371 98414->98373 98415->98375 98416->98377 98418 6c939cf8 98417->98418 98419 6c939ccc 98417->98419 98424 6c939d09 98418->98424 98438 6c803560 32 API calls std::_Xinvalid_argument 98418->98438 98434 6c939cf1 98419->98434 98440 6c802250 30 API calls 98419->98440 98422 6c939ed8 98441 6c802340 24 API calls 98422->98441 98424->98434 98439 6c802f60 42 API calls 4 library calls 98424->98439 98425 6c939ee7 98442 6c93ca69 RaiseException 98425->98442 98428 6c939d43 98428->98434 98443 6c802250 30 API calls 98428->98443 98430 6c939f17 98444 6c802340 24 API calls 98430->98444 98432 6c939f2d 98445 6c93ca69 RaiseException 98432->98445 98434->98383 98435->98383 98436->98383 98437->98383 98438->98424 98439->98428 98440->98422 98441->98425 98442->98428 98443->98430 98444->98432 98445->98434 98446->98394 98447->98393 98448->98394 98449->98394 98450->98394 98451->98404 98452->98406 98453->98408 98454->98410 98455 6c7b3d62 98457 6c7b3bc0 98455->98457 98456 6c7b3e8a GetCurrentThread NtSetInformationThread 98458 6c7b3eea 98456->98458 98457->98456 98459 6c94262f 98460 6c94263b __wsopen_s 98459->98460 98461 6c942642 GetLastError ExitThread 98460->98461 98462 6c94264f 98460->98462 98463 6c9480a2 __Getctype 37 API calls 98462->98463 98464 6c942654 98463->98464 98471 6c94d456 98464->98471 98467 6c94266b 98477 6c94259a 16 API calls 2 library calls 98467->98477 98470 6c94268d 98472 6c94d468 GetPEB 98471->98472 98475 6c94265f 98471->98475 98473 6c94d47b 98472->98473 98472->98475 98478 6c94a508 5 API calls std::_Lockit::_Lockit 98473->98478 98475->98467 98476 6c94a45f 5 API calls std::_Lockit::_Lockit 98475->98476 98476->98467 98477->98470 98478->98475 98479 6c7cf150 98482 6c7cefbe 98479->98482 98480 6c7cf243 CreateFileA 98483 6c7cf2a7 98480->98483 98481 6c7d02ca 98482->98480 98483->98481 98484 6c7d02ac GetCurrentProcess TerminateProcess 98483->98484 98484->98481 98485 6c7c3b72 98486 6c93a133 std::_Facet_Register 4 API calls 98485->98486 98491 6c7c37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 98486->98491 98487 6c92e090 2 API calls 98487->98491 98489 6c7d6ba0 104 API calls 98489->98491 98490 6c7d6e60 32 API calls 98490->98491 98491->98487 98491->98489 98491->98490 98492 6c7d7090 77 API calls 98491->98492 98495 6c7d639e 98491->98495 98498 6c7fe010 67 API calls 98491->98498 98492->98491 98499 6c943820 18 API calls 2 library calls 98495->98499 98498->98491

                                                                                                Executed Functions

                                                                                                Function 6C7B4754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: _strlen
                                                                                                • String ID: HR^
                                                                                                • API String ID: 4218353326-1341859651
                                                                                                • Opcode ID: 18ba4388682501c17c0c03dba160cf8f5e785674d058ae844e08349961473d4c
                                                                                                • Instruction ID: 643acabe209fa5929f70be7f5701d45d0b9745f76b93452d65877ab4e01d1f1d
                                                                                                • Opcode Fuzzy Hash: 18ba4388682501c17c0c03dba160cf8f5e785674d058ae844e08349961473d4c
                                                                                                • Instruction Fuzzy Hash: 35741571644B028FC728CF28C9D0A95B7F3EF95318B198A7DC0A69BB55E734B54ACB40
                                                                                                Function 6C938930 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 4604 6c938930-6c938964 CreateToolhelp32Snapshot 4605 6c938980-6c938989 4604->4605 4606 6c9389d0-6c9389d5 4605->4606 4607 6c93898b-6c938990 4605->4607 4608 6c9389d7-6c9389dc 4606->4608 4609 6c938a34-6c938a62 call 6c93f010 Process32FirstW 4606->4609 4610 6c938992-6c938997 4607->4610 4611 6c938a0d-6c938a12 4607->4611 4612 6c9389e2-6c9389e7 4608->4612 4613 6c938a64-6c938a71 Process32NextW 4608->4613 4621 6c938a76-6c938a86 4609->4621 4617 6c938966-6c938973 4610->4617 4618 6c938999-6c93899e 4610->4618 4614 6c938a14-6c938a2f CloseHandle 4611->4614 4615 6c938a8b-6c938a90 4611->4615 4612->4605 4619 6c9389e9-6c938a08 4612->4619 4613->4621 4614->4605 4615->4605 4622 6c938a96-6c938aa4 4615->4622 4617->4605 4618->4605 4623 6c9389a0-6c9389ca call 6c9462f5 4618->4623 4619->4605 4621->4605 4623->4605
                                                                                                APIs
                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C93893E
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateSnapshotToolhelp32
                                                                                                • String ID:
                                                                                                • API String ID: 3332741929-0
                                                                                                • Opcode ID: 4c53c29b3b727c57424e3f670d77be1207f2c4a6779d632b353c08561c0e0b90
                                                                                                • Instruction ID: 89e17ba24f18a642c6c07c80f6ca4154a6e3423aba2320db71d77585ab6d73e6
                                                                                                • Opcode Fuzzy Hash: 4c53c29b3b727c57424e3f670d77be1207f2c4a6779d632b353c08561c0e0b90
                                                                                                • Instruction Fuzzy Hash: 3C31AEB0209312AFD7199F18C88474ABBE4AF89708F11992FF4CCD6360D330D8468B57
                                                                                                Function 6C7B3886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 4877 6c7b3886-6c7b388e 4878 6c7b3970-6c7b397d 4877->4878 4879 6c7b3894-6c7b3896 4877->4879 4880 6c7b397f-6c7b3989 4878->4880 4881 6c7b39f1-6c7b39f8 4878->4881 4879->4878 4882 6c7b389c-6c7b38b9 4879->4882 4880->4882 4883 6c7b398f-6c7b3994 4880->4883 4884 6c7b39fe-6c7b3a03 4881->4884 4885 6c7b3ab5-6c7b3aba 4881->4885 4886 6c7b38c0-6c7b38c1 4882->4886 4889 6c7b399a-6c7b399f 4883->4889 4890 6c7b3b16-6c7b3b18 4883->4890 4891 6c7b3a09-6c7b3a2f 4884->4891 4892 6c7b38d2-6c7b38d4 4884->4892 4885->4882 4888 6c7b3ac0-6c7b3ac7 4885->4888 4887 6c7b395e 4886->4887 4894 6c7b3960-6c7b3964 4887->4894 4888->4886 4895 6c7b3acd-6c7b3ad6 4888->4895 4896 6c7b383b-6c7b3855 call 6c902a20 call 6c902a30 4889->4896 4897 6c7b39a5-6c7b39bf 4889->4897 4890->4886 4898 6c7b38f8-6c7b3955 4891->4898 4899 6c7b3a35-6c7b3a3a 4891->4899 4893 6c7b3957-6c7b395c 4892->4893 4893->4887 4901 6c7b396a 4894->4901 4902 6c7b3860-6c7b3885 4894->4902 4895->4890 4903 6c7b3ad8-6c7b3aeb 4895->4903 4896->4902 4904 6c7b3a5a-6c7b3a5d 4897->4904 4898->4893 4905 6c7b3b1d-6c7b3b22 4899->4905 4906 6c7b3a40-6c7b3a57 4899->4906 4909 6c7b3ba1-6c7b3bb6 4901->4909 4902->4877 4903->4898 4910 6c7b3af1-6c7b3af8 4903->4910 4907 6c7b3aa9-6c7b3ab0 4904->4907 4912 6c7b3b49-6c7b3b50 4905->4912 4913 6c7b3b24-6c7b3b44 4905->4913 4906->4904 4907->4894 4914 6c7b3bc0-6c7b3bda call 6c902a20 call 6c902a30 4909->4914 4916 6c7b3afa-6c7b3aff 4910->4916 4917 6c7b3b62-6c7b3b85 4910->4917 4912->4886 4920 6c7b3b56-6c7b3b5d 4912->4920 4913->4907 4928 6c7b3be0-6c7b3bfe 4914->4928 4916->4893 4917->4898 4924 6c7b3b8b 4917->4924 4920->4894 4924->4909 4931 6c7b3e7b 4928->4931 4932 6c7b3c04-6c7b3c11 4928->4932 4933 6c7b3e81-6c7b3ee0 call 6c7b3750 GetCurrentThread NtSetInformationThread 4931->4933 4934 6c7b3ce0-6c7b3cea 4932->4934 4935 6c7b3c17-6c7b3c20 4932->4935 4952 6c7b3eea-6c7b3f04 call 6c902a20 call 6c902a30 4933->4952 4936 6c7b3d3a-6c7b3d3c 4934->4936 4937 6c7b3cec-6c7b3d0c 4934->4937 4939 6c7b3c26-6c7b3c2d 4935->4939 4940 6c7b3dc5 4935->4940 4942 6c7b3d3e-6c7b3d45 4936->4942 4943 6c7b3d70-6c7b3d8d 4936->4943 4941 6c7b3d90-6c7b3d95 4937->4941 4946 6c7b3dc3 4939->4946 4947 6c7b3c33-6c7b3c3a 4939->4947 4944 6c7b3dc6 4940->4944 4949 6c7b3dba-6c7b3dc1 4941->4949 4950 6c7b3d97-6c7b3db8 4941->4950 4948 6c7b3d50-6c7b3d57 4942->4948 4943->4941 4951 6c7b3dc8-6c7b3dcc 4944->4951 4946->4940 4953 6c7b3c40-6c7b3c5b 4947->4953 4954 6c7b3e26-6c7b3e2b 4947->4954 4948->4944 4949->4946 4955 6c7b3dd7-6c7b3ddc 4949->4955 4950->4940 4951->4928 4956 6c7b3dd2 4951->4956 4971 6c7b3f75-6c7b3fa1 4952->4971 4958 6c7b3e1b-6c7b3e24 4953->4958 4959 6c7b3c7b-6c7b3cd0 4954->4959 4960 6c7b3e31 4954->4960 4963 6c7b3dde-6c7b3e17 4955->4963 4964 6c7b3e36-6c7b3e3d 4955->4964 4962 6c7b3e76-6c7b3e79 4956->4962 4958->4951 4958->4962 4959->4948 4960->4914 4962->4933 4963->4958 4966 6c7b3e3f-6c7b3e5a 4964->4966 4967 6c7b3e5c-6c7b3e5f 4964->4967 4966->4958 4967->4959 4970 6c7b3e65-6c7b3e69 4967->4970 4970->4951 4970->4962 4975 6c7b3fa3-6c7b3fa8 4971->4975 4976 6c7b4020-6c7b4026 4971->4976 4977 6c7b3fae-6c7b3fcf 4975->4977 4978 6c7b407c-6c7b4081 4975->4978 4979 6c7b402c-6c7b403c 4976->4979 4980 6c7b3f06-6c7b3f35 4976->4980 4982 6c7b40aa-6c7b40ae 4977->4982 4978->4982 4985 6c7b4083-6c7b408a 4978->4985 4983 6c7b403e-6c7b4058 4979->4983 4984 6c7b40b3-6c7b40b8 4979->4984 4981 6c7b3f38-6c7b3f61 4980->4981 4988 6c7b3f64-6c7b3f67 4981->4988 4989 6c7b3f6b-6c7b3f6f 4982->4989 4990 6c7b405a-6c7b4063 4983->4990 4984->4977 4987 6c7b40be-6c7b40c9 4984->4987 4985->4981 4986 6c7b4090 4985->4986 4986->4952 4991 6c7b40a7 4986->4991 4987->4982 4992 6c7b40cb-6c7b40d4 4987->4992 4993 6c7b3f69 4988->4993 4989->4971 4994 6c7b4069-6c7b406c 4990->4994 4995 6c7b40f5-6c7b413f 4990->4995 4991->4982 4992->4991 4996 6c7b40d6-6c7b40f0 4992->4996 4993->4989 4998 6c7b4072-6c7b4077 4994->4998 4999 6c7b4144-6c7b414b 4994->4999 4995->4993 4996->4990 4998->4988 4999->4989
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e7aafe30f9438d1a3d8ca9aa2045514424995dad448a441356307fcf4b2e476d
                                                                                                • Instruction ID: 9e4fa0356692235836e27b427e7445f606aaabe23d2362b9786ece3066201e81
                                                                                                • Opcode Fuzzy Hash: e7aafe30f9438d1a3d8ca9aa2045514424995dad448a441356307fcf4b2e476d
                                                                                                • Instruction Fuzzy Hash: E732D832245B018FC324CF28C9D0695B7E3EFD13147698A6DC0EA6BB95DB75B48ACB50
                                                                                                Function 6C7B3A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: CurrentThread
                                                                                                • String ID:
                                                                                                • API String ID: 2882836952-0
                                                                                                • Opcode ID: dff58643eeb11c8dd87a5afc7df2c1636a2a6702218e08633d35cdc4302e07de
                                                                                                • Instruction ID: b1a395f23597ab390a2a556ca71b519e462042e6e96198bc53c083de4548ee92
                                                                                                • Opcode Fuzzy Hash: dff58643eeb11c8dd87a5afc7df2c1636a2a6702218e08633d35cdc4302e07de
                                                                                                • Instruction Fuzzy Hash: 3351E331244B018FC320CF28C984785B7E3BFA5314F698A5DC0EA6BA95DF74B48A9B51
                                                                                                Function 6C7B39CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: CurrentThread
                                                                                                • String ID:
                                                                                                • API String ID: 2882836952-0
                                                                                                • Opcode ID: a8a0e9e744af54259a0062fd31dccab3cdbe1d1419db028c923fea71d46b9101
                                                                                                • Instruction ID: a50912e0efea958919af24ae0e8ec89509de61affe75cb99ceb2f36b97c9f904
                                                                                                • Opcode Fuzzy Hash: a8a0e9e744af54259a0062fd31dccab3cdbe1d1419db028c923fea71d46b9101
                                                                                                • Instruction Fuzzy Hash: C751D131544B018FC320CF28C580796B7E3BFA5314F698B5DC0EA6BA95DF70B48A9B91
                                                                                                Function 6C7B3D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentThread.KERNEL32 ref: 6C7B3E9D
                                                                                                • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C7B3EAA
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: Thread$CurrentInformation
                                                                                                • String ID:
                                                                                                • API String ID: 1650627709-0
                                                                                                • Opcode ID: 4d1bd4d01eeeacbfc744e36f397546cd5c31ac676f49e9bc80140f7d8ed76706
                                                                                                • Instruction ID: 8b5d53c655806cd57a437c0abca7fb1b8006408f6016ad6ffc65f5e1e8be8b7d
                                                                                                • Opcode Fuzzy Hash: 4d1bd4d01eeeacbfc744e36f397546cd5c31ac676f49e9bc80140f7d8ed76706
                                                                                                • Instruction Fuzzy Hash: BF312431645B01CFC720CF38C9947C6B7A3AFA5314F698A1DC0AAABA81DF747049AB51
                                                                                                Function 6C7B3D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentThread.KERNEL32 ref: 6C7B3E9D
                                                                                                • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C7B3EAA
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: Thread$CurrentInformation
                                                                                                • String ID:
                                                                                                • API String ID: 1650627709-0
                                                                                                • Opcode ID: 1f551ccdd7555bac3176b8d1cb74003b18bacebeaeaf71929db16bf6d0ec5250
                                                                                                • Instruction ID: e9d46854c696a263a7fa70b6840fc6f58ad89378a0eac0b4b87cb7fa311d86cd
                                                                                                • Opcode Fuzzy Hash: 1f551ccdd7555bac3176b8d1cb74003b18bacebeaeaf71929db16bf6d0ec5250
                                                                                                • Instruction Fuzzy Hash: E9312131104B01CFC724CF28CA94796B7B6AFA2304F654A5DC0AAABA86DF717089DB51
                                                                                                Function 6C7B3C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentThread.KERNEL32 ref: 6C7B3E9D
                                                                                                • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C7B3EAA
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: Thread$CurrentInformation
                                                                                                • String ID:
                                                                                                • API String ID: 1650627709-0
                                                                                                • Opcode ID: 20739d31752c0fced5e9d2b1fb01ec29ad7e130c76068e084afa42cdd06cf7e9
                                                                                                • Instruction ID: c6b749733ed8814992961fdd92ab83764a973a7b988b9ccc33119e713e4edabd
                                                                                                • Opcode Fuzzy Hash: 20739d31752c0fced5e9d2b1fb01ec29ad7e130c76068e084afa42cdd06cf7e9
                                                                                                • Instruction Fuzzy Hash: 24213630218B01CFC728CF34C99479677B6AF52304F654E1DD0AAABAC1DF70B048AB51
                                                                                                Function 6C938810 Relevance: 3.1, APIs: 2, Instructions: 72serviceCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C938820
                                                                                                • OpenServiceA.ADVAPI32(?,?,00000004), ref: 6C9388C5
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: Open$ManagerService
                                                                                                • String ID:
                                                                                                • API String ID: 2351955762-0
                                                                                                • Opcode ID: 77cbb34921ff2f30e236f54f6201a93beef381811bf87ed44b49569636ad11ab
                                                                                                • Instruction ID: 24c808eaa817f75d3d2ebd5a4b63ccb427cf1d79ced4865178f62ff83220e423
                                                                                                • Opcode Fuzzy Hash: 77cbb34921ff2f30e236f54f6201a93beef381811bf87ed44b49569636ad11ab
                                                                                                • Instruction Fuzzy Hash: B9313674608312AFC704CF28C959A0EBBF4AB89350F50889AF898D3261D371C8488B67
                                                                                                Function 6C92E090 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FindFirstFileA.KERNEL32(?,?), ref: 6C92E0AC
                                                                                                • FindClose.KERNEL32(000000FF), ref: 6C92E0E2
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: Find$CloseFileFirst
                                                                                                • String ID:
                                                                                                • API String ID: 2295610775-0
                                                                                                • Opcode ID: a088cae33a972791dc1b18a1956bd053732ef79fd8609cae5f7c8bbb68d7f9ad
                                                                                                • Instruction ID: db433caa07e9764ab6e8fc156a20ca88d1206220b0f15c4a2f045032248b64b8
                                                                                                • Opcode Fuzzy Hash: a088cae33a972791dc1b18a1956bd053732ef79fd8609cae5f7c8bbb68d7f9ad
                                                                                                • Instruction Fuzzy Hash: 34116D7455C352DFC7108F38C98490ABBF4AB86315F148D5AF4E8C7794DB38D8898B82
                                                                                                Function 6C9501C3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 3722 6c9501c3-6c9501d3 3723 6c9501d5-6c9501e8 call 6c9430cf call 6c9430bc 3722->3723 3724 6c9501ed-6c9501ef 3722->3724 3740 6c95056c 3723->3740 3726 6c9501f5-6c9501fb 3724->3726 3727 6c950554-6c950561 call 6c9430cf call 6c9430bc 3724->3727 3726->3727 3730 6c950201-6c950227 3726->3730 3745 6c950567 call 6c943810 3727->3745 3730->3727 3733 6c95022d-6c950236 3730->3733 3736 6c950250-6c950252 3733->3736 3737 6c950238-6c95024b call 6c9430cf call 6c9430bc 3733->3737 3738 6c950550-6c950552 3736->3738 3739 6c950258-6c95025b 3736->3739 3737->3745 3744 6c95056f-6c950572 3738->3744 3739->3738 3743 6c950261-6c950265 3739->3743 3740->3744 3743->3737 3747 6c950267-6c95027e 3743->3747 3745->3740 3750 6c950280-6c950283 3747->3750 3751 6c9502cf-6c9502d5 3747->3751 3753 6c950285-6c95028e 3750->3753 3754 6c950293-6c950299 3750->3754 3755 6c9502d7-6c9502e1 3751->3755 3756 6c95029b-6c9502b2 call 6c9430cf call 6c9430bc call 6c943810 3751->3756 3759 6c950353-6c950363 3753->3759 3754->3756 3760 6c9502b7-6c9502ca 3754->3760 3757 6c9502e3-6c9502e5 3755->3757 3758 6c9502e8-6c950306 call 6c947ee5 call 6c947eab * 2 3755->3758 3788 6c950487 3756->3788 3757->3758 3793 6c950323-6c95034c call 6c94e359 3758->3793 3794 6c950308-6c95031e call 6c9430bc call 6c9430cf 3758->3794 3762 6c950369-6c950375 3759->3762 3763 6c950428-6c950431 call 6c9550d5 3759->3763 3760->3759 3762->3763 3766 6c95037b-6c95037d 3762->3766 3777 6c9504a4 3763->3777 3778 6c950433-6c950445 3763->3778 3766->3763 3770 6c950383-6c9503a7 3766->3770 3770->3763 3774 6c9503a9-6c9503bf 3770->3774 3774->3763 3779 6c9503c1-6c9503c3 3774->3779 3781 6c9504a8-6c9504c0 ReadFile 3777->3781 3778->3777 3783 6c950447-6c950456 GetConsoleMode 3778->3783 3779->3763 3784 6c9503c5-6c9503eb 3779->3784 3786 6c9504c2-6c9504c8 3781->3786 3787 6c95051c-6c950527 GetLastError 3781->3787 3783->3777 3789 6c950458-6c95045c 3783->3789 3784->3763 3792 6c9503ed-6c950403 3784->3792 3786->3787 3797 6c9504ca 3786->3797 3795 6c950540-6c950543 3787->3795 3796 6c950529-6c95053b call 6c9430bc call 6c9430cf 3787->3796 3791 6c95048a-6c950494 call 6c947eab 3788->3791 3789->3781 3790 6c95045e-6c950478 ReadConsoleW 3789->3790 3798 6c950499-6c9504a2 3790->3798 3799 6c95047a GetLastError 3790->3799 3791->3744 3792->3763 3803 6c950405-6c950407 3792->3803 3793->3759 3794->3788 3800 6c950480-6c950486 call 6c9430e2 3795->3800 3801 6c950549-6c95054b 3795->3801 3796->3788 3807 6c9504cd-6c9504df 3797->3807 3798->3807 3799->3800 3800->3788 3801->3791 3803->3763 3810 6c950409-6c950423 3803->3810 3807->3791 3814 6c9504e1-6c9504e5 3807->3814 3810->3763 3815 6c9504e7-6c9504f7 call 6c9505ee 3814->3815 3816 6c9504fe-6c950509 3814->3816 3828 6c9504fa-6c9504fc 3815->3828 3822 6c950515-6c95051a call 6c9508a6 3816->3822 3823 6c95050b call 6c950573 3816->3823 3829 6c950510-6c950513 3822->3829 3823->3829 3828->3791 3829->3828
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 8Q
                                                                                                • API String ID: 0-4022487301
                                                                                                • Opcode ID: ec52c5f5d24774affdfa3e39649cfde732a0efe41fd375c01708858b16fabcf0
                                                                                                • Instruction ID: 1ab850eb5c4e0ddc678382df7ce6e5a83ab1f5b582a64cf1c4a4f5ec1e5e381a
                                                                                                • Opcode Fuzzy Hash: ec52c5f5d24774affdfa3e39649cfde732a0efe41fd375c01708858b16fabcf0
                                                                                                • Instruction Fuzzy Hash: 4AC12370E042899FDF05CFA9C890BADBBB4BF5A31CF509159E424ABB81D730C956CB61
                                                                                                Function 6C95775C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 3831 6c95775c-6c95778c call 6c957bdc 3834 6c9577a7-6c9577b3 call 6c954cfc 3831->3834 3835 6c95778e-6c957799 call 6c9430cf 3831->3835 3841 6c9577b5-6c9577ca call 6c9430cf call 6c9430bc 3834->3841 3842 6c9577cc-6c957815 call 6c957b47 3834->3842 3840 6c95779b-6c9577a2 call 6c9430bc 3835->3840 3851 6c957a81-6c957a85 3840->3851 3841->3840 3849 6c957817-6c957820 3842->3849 3850 6c957882-6c95788b GetFileType 3842->3850 3853 6c957857-6c95787d GetLastError call 6c9430e2 3849->3853 3854 6c957822-6c957826 3849->3854 3855 6c9578d4-6c9578d7 3850->3855 3856 6c95788d-6c9578be GetLastError call 6c9430e2 CloseHandle 3850->3856 3853->3840 3854->3853 3860 6c957828-6c957855 call 6c957b47 3854->3860 3858 6c9578e0-6c9578e6 3855->3858 3859 6c9578d9-6c9578de 3855->3859 3856->3840 3870 6c9578c4-6c9578cf call 6c9430bc 3856->3870 3863 6c9578e8 3858->3863 3864 6c9578ea-6c957938 call 6c954ea0 3858->3864 3859->3864 3860->3850 3860->3853 3863->3864 3874 6c957957-6c95797f call 6c957e00 3864->3874 3875 6c95793a-6c957946 call 6c957d56 3864->3875 3870->3840 3880 6c957984-6c9579c5 3874->3880 3881 6c957981-6c957982 3874->3881 3875->3874 3882 6c957948 3875->3882 3883 6c9579c7-6c9579cb 3880->3883 3884 6c9579e6-6c9579f4 3880->3884 3885 6c95794a-6c957952 call 6c94f015 3881->3885 3882->3885 3883->3884 3886 6c9579cd-6c9579e1 3883->3886 3887 6c957a7f 3884->3887 3888 6c9579fa-6c9579fe 3884->3888 3885->3851 3886->3884 3887->3851 3888->3887 3890 6c957a00-6c957a33 CloseHandle call 6c957b47 3888->3890 3894 6c957a35-6c957a61 GetLastError call 6c9430e2 call 6c954e0f 3890->3894 3895 6c957a67-6c957a7b 3890->3895 3894->3895 3895->3887
                                                                                                APIs
                                                                                                  • Part of subcall function 6C957B47: CreateFileW.KERNEL32(00000000,00000000,?,6C957805,?,?,00000000,?,6C957805,00000000,0000000C), ref: 6C957B64
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C957870
                                                                                                • __dosmaperr.LIBCMT ref: 6C957877
                                                                                                • GetFileType.KERNEL32(00000000), ref: 6C957883
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C95788D
                                                                                                • __dosmaperr.LIBCMT ref: 6C957896
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 6C9578B6
                                                                                                • CloseHandle.KERNEL32(6C94E7C0), ref: 6C957A03
                                                                                                • GetLastError.KERNEL32 ref: 6C957A35
                                                                                                • __dosmaperr.LIBCMT ref: 6C957A3C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                • String ID: 8Q
                                                                                                • API String ID: 4237864984-4022487301
                                                                                                • Opcode ID: aecbc7534ac8063f232d38a236c482286c07849b92e71fe090973d60b76bd7b1
                                                                                                • Instruction ID: e82496345d8f22589228eed693e27d0b729ad475afed9a4af939ed3a8aa9bedf
                                                                                                • Opcode Fuzzy Hash: aecbc7534ac8063f232d38a236c482286c07849b92e71fe090973d60b76bd7b1
                                                                                                • Instruction Fuzzy Hash: ABA10432A241058FCF19DF78DCA1BAD7BB5AB16328F548249E815EF390C735CA26C751
                                                                                                Function 6C90B4D0 Relevance: 16.6, APIs: 3, Strings: 6, Instructions: 834fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WriteFile.KERNEL32(?,?,00000038,?,00000000), ref: 6C90B62F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileWrite
                                                                                                • String ID: *$,=ym$-=ym$-=ym$B$H
                                                                                                • API String ID: 3934441357-3163594065
                                                                                                • Opcode ID: 4756e476f6d137135abfd1acc40fcd9dbadb537e75028926b75bfa5f31f3a93c
                                                                                                • Instruction ID: 0bbdb40305f4964ff04c41e9db3947f1acf925e94585bc8d8c82c77a6da0b2a2
                                                                                                • Opcode Fuzzy Hash: 4756e476f6d137135abfd1acc40fcd9dbadb537e75028926b75bfa5f31f3a93c
                                                                                                • Instruction Fuzzy Hash: F8727AB06093859FCB24CF28C49065EBBF1AF99304F188E5EE499CBB51E774D8858B53
                                                                                                Function 6C7B4200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: ;T55
                                                                                                • API String ID: 0-2572755013
                                                                                                • Opcode ID: edb9516bfc2f2417556b83d1865d3fe079e899666432484dd7125312c4d02067
                                                                                                • Instruction ID: 2aa7126d5a25a9dd5a8e11746d2eb70d217e564a524ca3b13b5b1492792e4b42
                                                                                                • Opcode Fuzzy Hash: edb9516bfc2f2417556b83d1865d3fe079e899666432484dd7125312c4d02067
                                                                                                • Instruction Fuzzy Hash: C003E131745B028FC728CF28C9D0696B7E3AFD5324719CB6DC0AA4BA95DB34B44ACB51
                                                                                                Function 6C9386E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processsynchronizationCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 4469 6c9386e0-6c938767 CreateProcessA 4470 6c93878b-6c938794 4469->4470 4471 6c9387b0-6c9387fa WaitForSingleObject CloseHandle * 2 4470->4471 4472 6c938796-6c93879b 4470->4472 4471->4470 4473 6c938770-6c938783 4472->4473 4474 6c93879d-6c9387a2 4472->4474 4473->4470 4474->4470 4475 6c9387a4-6c938807 4474->4475
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseHandle$CreateObjectProcessSingleWait
                                                                                                • String ID: D
                                                                                                • API String ID: 2059082233-2746444292
                                                                                                • Opcode ID: 86bb357a512796850884d249c6fc9709657f4be89f1e26a4345908697769d2f3
                                                                                                • Instruction ID: 04f7556d8a71b5651ccadf2a9f1d39e014f20f581ed6361e561b065850d85b98
                                                                                                • Opcode Fuzzy Hash: 86bb357a512796850884d249c6fc9709657f4be89f1e26a4345908697769d2f3
                                                                                                • Instruction Fuzzy Hash: C9310FB1808380CFD754DF28D59871ABBF0AB99318F10AA1EF8E986360D774D985CB47
                                                                                                Function 6C94F34E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 4477 6c94f34e-6c94f36a 4478 6c94f370-6c94f372 4477->4478 4479 6c94f529 4477->4479 4480 6c94f394-6c94f3b5 4478->4480 4481 6c94f374-6c94f387 call 6c9430cf call 6c9430bc call 6c943810 4478->4481 4482 6c94f52b-6c94f52f 4479->4482 4484 6c94f3b7-6c94f3ba 4480->4484 4485 6c94f3bc-6c94f3c2 4480->4485 4499 6c94f38c-6c94f38f 4481->4499 4484->4485 4486 6c94f3c4-6c94f3c9 4484->4486 4485->4481 4485->4486 4488 6c94f3da-6c94f3eb call 6c94f530 4486->4488 4489 6c94f3cb-6c94f3d7 call 6c94e359 4486->4489 4497 6c94f42c-6c94f43e 4488->4497 4498 6c94f3ed-6c94f3ef 4488->4498 4489->4488 4500 6c94f485-6c94f4a7 WriteFile 4497->4500 4501 6c94f440-6c94f449 4497->4501 4502 6c94f416-6c94f422 call 6c94f5a1 4498->4502 4503 6c94f3f1-6c94f3f9 4498->4503 4499->4482 4508 6c94f4b2 4500->4508 4509 6c94f4a9-6c94f4af GetLastError 4500->4509 4504 6c94f475-6c94f483 call 6c94f9b3 4501->4504 4505 6c94f44b-6c94f44e 4501->4505 4512 6c94f427-6c94f42a 4502->4512 4506 6c94f3ff-6c94f40c call 6c94f94b 4503->4506 4507 6c94f4bb-6c94f4be 4503->4507 4504->4512 4514 6c94f465-6c94f473 call 6c94fb77 4505->4514 4515 6c94f450-6c94f453 4505->4515 4518 6c94f40f-6c94f411 4506->4518 4513 6c94f4c1-6c94f4c6 4507->4513 4511 6c94f4b5-6c94f4ba 4508->4511 4509->4508 4511->4507 4512->4518 4520 6c94f524-6c94f527 4513->4520 4521 6c94f4c8-6c94f4cd 4513->4521 4514->4512 4515->4513 4519 6c94f455-6c94f463 call 6c94fa8e 4515->4519 4518->4511 4519->4512 4520->4482 4525 6c94f4cf-6c94f4d4 4521->4525 4526 6c94f4f9-6c94f505 4521->4526 4530 6c94f4d6-6c94f4e8 call 6c9430bc call 6c9430cf 4525->4530 4531 6c94f4ed-6c94f4f4 call 6c9430e2 4525->4531 4532 6c94f507-6c94f50a 4526->4532 4533 6c94f50c-6c94f51f call 6c9430bc call 6c9430cf 4526->4533 4530->4499 4531->4499 4532->4479 4532->4533 4533->4499
                                                                                                APIs
                                                                                                  • Part of subcall function 6C94F5A1: GetConsoleCP.KERNEL32(?,6C94E7C0,?), ref: 6C94F5E9
                                                                                                • WriteFile.KERNEL32(?,?,6C957DDC,00000000,00000000,?,00000000,00000000,6C9591A6,00000000,00000000,?,00000000,6C94E7C0,6C957DDC,00000000), ref: 6C94F49F
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C957DDC,6C94E7C0,00000000,?,?,?,?,00000000,?), ref: 6C94F4A9
                                                                                                • __dosmaperr.LIBCMT ref: 6C94F4EE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                                                                                • String ID: 8Q
                                                                                                • API String ID: 251514795-4022487301
                                                                                                • Opcode ID: aa067bbd9d926c1c61e58a957b43d0a180cf9e30f8e8e090caeb12b04f1e42d6
                                                                                                • Instruction ID: 4633760cda98cdcb6b0051b038c7f1140bbcb34fac0000b3fb801acca8557ef4
                                                                                                • Opcode Fuzzy Hash: aa067bbd9d926c1c61e58a957b43d0a180cf9e30f8e8e090caeb12b04f1e42d6
                                                                                                • Instruction Fuzzy Hash: 4C51E371A0020BAFEF00DFB8C884BEEBBB9EF1A35CF148555E510ABA41D774D9458B61
                                                                                                Function 6C939280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 4544 6c939280-6c93928c 4545 6c93928e-6c939299 4544->4545 4546 6c9392cd 4544->4546 4548 6c93929b-6c9392ad 4545->4548 4549 6c9392af-6c9392bc call 6c8001f0 call 6c944208 4545->4549 4547 6c9392cf-6c939347 4546->4547 4551 6c939373-6c939379 4547->4551 4552 6c939349-6c939371 4547->4552 4548->4549 4557 6c9392c1-6c9392cb 4549->4557 4552->4551 4554 6c93937a-6c939439 call 6c802250 call 6c802340 call 6c93ca69 call 6c7fe010 call 6c93a778 4552->4554 4557->4547
                                                                                                APIs
                                                                                                • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C939421
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: Ios_base_dtorstd::ios_base::_
                                                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                • API String ID: 323602529-1866435925
                                                                                                • Opcode ID: 9e6d482627e6cd19dce81974443f1f0fc8d0a9e590e1078a1371674b32c54d37
                                                                                                • Instruction ID: 1da4803b5b459ef9364028475396ab1e7e82606c3b59bde2e4c4fab55c79b5a4
                                                                                                • Opcode Fuzzy Hash: 9e6d482627e6cd19dce81974443f1f0fc8d0a9e590e1078a1371674b32c54d37
                                                                                                • Instruction Fuzzy Hash: 245124B5500B008FD725CF29C5857A7BBF1BB59318F408A2DD8864BB91D775E90ACF90
                                                                                                Function 6C90CEA0 Relevance: 6.2, APIs: 4, Instructions: 187fileCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 4567 6c90cea0-6c90cf03 call 6c93a260 4570 6c90cf40-6c90cf49 4567->4570 4571 6c90cf90-6c90cf95 4570->4571 4572 6c90cf4b-6c90cf50 4570->4572 4575 6c90d030-6c90d035 4571->4575 4576 6c90cf9b-6c90cfa0 4571->4576 4573 6c90d000-6c90d005 4572->4573 4574 6c90cf56-6c90cf5b 4572->4574 4577 6c90d125-6c90d158 call 6c93ea90 4573->4577 4578 6c90d00b-6c90d010 4573->4578 4581 6c90cf61-6c90cf66 4574->4581 4582 6c90d065-6c90d08c 4574->4582 4579 6c90d03b-6c90d040 4575->4579 4580 6c90d17d-6c90d191 4575->4580 4583 6c90cf05-6c90cf21 WriteFile 4576->4583 4584 6c90cfa6-6c90cfab 4576->4584 4577->4570 4587 6c90d016-6c90d01b 4578->4587 4588 6c90d15d-6c90d175 4578->4588 4589 6c90d046-6c90d060 4579->4589 4590 6c90d1a7-6c90d1ac 4579->4590 4585 6c90d195-6c90d1a2 4580->4585 4591 6c90d091-6c90d0aa WriteFile 4581->4591 4592 6c90cf6c-6c90cf71 4581->4592 4593 6c90cf33-6c90cf38 4582->4593 4586 6c90cf30 4583->4586 4595 6c90cfb1-6c90cfb6 4584->4595 4596 6c90d0af-6c90d120 WriteFile 4584->4596 4585->4570 4586->4593 4587->4570 4598 6c90d021-6c90d02b 4587->4598 4588->4580 4589->4585 4590->4570 4597 6c90d1b2-6c90d1c0 4590->4597 4591->4586 4592->4570 4599 6c90cf73-6c90cf86 4592->4599 4593->4570 4595->4570 4601 6c90cfb8-6c90cfee call 6c93f010 ReadFile 4595->4601 4596->4586 4598->4586 4599->4593 4601->4586
                                                                                                APIs
                                                                                                • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C90CFE1
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileRead
                                                                                                • String ID:
                                                                                                • API String ID: 2738559852-0
                                                                                                • Opcode ID: 4cef40f88976fde1b4f1dd28ee1467b2b106f146eb0b8f8ad20013d71cec5544
                                                                                                • Instruction ID: 4063391f3be7c6a084375b7c1f37346f41cc6cc5c61e7618f47789c7d85c0774
                                                                                                • Opcode Fuzzy Hash: 4cef40f88976fde1b4f1dd28ee1467b2b106f146eb0b8f8ad20013d71cec5544
                                                                                                • Instruction Fuzzy Hash: F4715BB0208341AFD710DF19C884B9ABBF8BF89708F50492EF598C67A0D775D9949B93
                                                                                                Function 6C90C390 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 631COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 4626 6c90c390-6c90c406 call 6c93a260 call 6c93f010 4631 6c90c426-6c90c42f 4626->4631 4632 6c90c490-6c90c495 4631->4632 4633 6c90c431-6c90c436 4631->4633 4636 6c90c570-6c90c575 4632->4636 4637 6c90c49b-6c90c4a0 4632->4637 4634 6c90c500-6c90c505 4633->4634 4635 6c90c43c-6c90c441 4633->4635 4640 6c90c679-6c90c67e 4634->4640 4641 6c90c50b-6c90c510 4634->4641 4638 6c90c447-6c90c44c 4635->4638 4639 6c90c5bf-6c90c5c4 4635->4639 4642 6c90c6d6-6c90c6db 4636->4642 4643 6c90c57b-6c90c580 4636->4643 4644 6c90c4a6-6c90c4ab 4637->4644 4645 6c90c638-6c90c63d 4637->4645 4654 6c90c742-6c90c747 4638->4654 4655 6c90c452-6c90c457 4638->4655 4652 6c90c863-6c90c868 4639->4652 4653 6c90c5ca-6c90c5cf 4639->4653 4660 6c90c8e2-6c90c8e7 4640->4660 4661 6c90c684-6c90c689 4640->4661 4656 6c90c516-6c90c51b 4641->4656 4657 6c90c7de-6c90c7e3 4641->4657 4650 6c90c6e1-6c90c6e6 4642->4650 4651 6c90c912-6c90c917 4642->4651 4646 6c90c830-6c90c835 4643->4646 4647 6c90c586-6c90c58b 4643->4647 4648 6c90c4b1-6c90c4b6 4644->4648 4649 6c90c796-6c90c79b 4644->4649 4658 6c90c643-6c90c648 4645->4658 4659 6c90c8ab-6c90c8b0 4645->4659 4666 6c90c83b-6c90c840 4646->4666 4667 6c90cd6c-6c90cd88 4646->4667 4662 6c90c591-6c90c596 4647->4662 4663 6c90c9fe-6c90ca3a 4647->4663 4682 6c90c97a-6c90c984 4648->4682 4683 6c90c4bc-6c90c4c1 4648->4683 4692 6c90c7a1-6c90c7a6 4649->4692 4693 6c90c408-6c90c418 4649->4693 4686 6c90cc12-6c90cc4d call 6c93f010 call 6c90b4d0 4650->4686 4687 6c90c6ec-6c90c6f1 4650->4687 4684 6c90ce1a-6c90ce29 4651->4684 4685 6c90c91d-6c90c922 4651->4685 4670 6c90cdb7-6c90cdbf 4652->4670 4671 6c90c86e-6c90c873 4652->4671 4668 6c90ca71-6c90ca9b call 6c93ea90 4653->4668 4669 6c90c5d5-6c90c5da 4653->4669 4688 6c90cca3-6c90ccba 4654->4688 4689 6c90c74d-6c90c752 4654->4689 4672 6c90c93d-6c90c95b 4655->4672 4673 6c90c45d-6c90c462 4655->4673 4690 6c90c521-6c90c526 4656->4690 4691 6c90c9a3-6c90c9b3 4656->4691 4664 6c90c7e9-6c90c7ee 4657->4664 4665 6c90ccfa-6c90cd23 4657->4665 4674 6c90cb08-6c90cb34 4658->4674 4675 6c90c64e-6c90c653 4658->4675 4676 6c90c8b6-6c90c8bb 4659->4676 4677 6c90cdda-6c90cdf1 4659->4677 4678 6c90cdf9-6c90ce12 4660->4678 4679 6c90c8ed-6c90c8f2 4660->4679 4680 6c90cb61-6c90cb85 4661->4680 4681 6c90c68f-6c90c694 4661->4681 4695 6c90ca43-6c90ca6c 4662->4695 4696 6c90c59c-6c90c5a1 4662->4696 4663->4695 4713 6c90c7f4-6c90c7f9 4664->4713 4714 6c90cd28-6c90cd67 4664->4714 4665->4631 4716 6c90c846-6c90c84b 4666->4716 4717 6c90cd9d-6c90cdad 4666->4717 4707 6c90cd8a-6c90cd98 4667->4707 4668->4631 4697 6c90caa0-6c90cb03 call 6c90ce50 CreateFileA 4669->4697 4698 6c90c5e0-6c90c5e5 4669->4698 4710 6c90cdc4-6c90cdd5 4670->4710 4718 6c90ce31-6c90ce36 4671->4718 4719 6c90c879-6c90c8a6 4671->4719 4672->4707 4720 6c90c960-6c90c975 4673->4720 4721 6c90c468-6c90c46d 4673->4721 4674->4631 4700 6c90cb39-6c90cb5c 4675->4700 4701 6c90c659-6c90c65e 4675->4701 4676->4631 4722 6c90c8c1-6c90c8dd 4676->4722 4677->4678 4678->4684 4679->4631 4723 6c90c8f8-6c90c90d 4679->4723 4680->4631 4702 6c90cb8a-6c90cc0d 4681->4702 4703 6c90c69a-6c90c69f 4681->4703 4682->4631 4724 6c90c4c7-6c90c4cc 4683->4724 4725 6c90c989-6c90c99e 4683->4725 4684->4718 4685->4631 4726 6c90c928-6c90c938 4685->4726 4751 6c90cc52-6c90cc72 4686->4751 4705 6c90cc77-6c90cc88 4687->4705 4706 6c90c6f7-6c90c6fc 4687->4706 4704 6c90ccbc-6c90ccc4 4688->4704 4708 6c90c758-6c90c75d 4689->4708 4709 6c90ccc9-6c90ccd8 4689->4709 4727 6c90c52c-6c90c531 4690->4727 4728 6c90c9bd-6c90c9c5 4690->4728 4691->4728 4711 6c90cce0-6c90ccf5 4692->4711 4712 6c90c7ac-6c90c7b1 4692->4712 4715 6c90c41d 4693->4715 4695->4631 4696->4631 4730 6c90c5a7-6c90c5ba 4696->4730 4697->4631 4698->4631 4732 6c90c5eb-6c90c633 4698->4732 4700->4631 4701->4631 4734 6c90c664-6c90c674 4701->4734 4702->4631 4703->4631 4736 6c90c6a5-6c90c6d1 4703->4736 4704->4631 4735 6c90cc8d-6c90cc9e 4705->4735 4706->4631 4737 6c90c702-6c90c73d 4706->4737 4707->4631 4708->4631 4738 6c90c763-6c90c791 4708->4738 4709->4711 4710->4631 4711->4715 4712->4631 4739 6c90c7b7-6c90c7d9 4712->4739 4713->4631 4740 6c90c7ff-6c90c82b 4713->4740 4714->4631 4741 6c90c420-6c90c424 4715->4741 4716->4631 4743 6c90c851-6c90c85e 4716->4743 4717->4670 4718->4631 4742 6c90ce3c-6c90ce47 4718->4742 4719->4631 4720->4631 4721->4631 4744 6c90c46f-6c90c483 4721->4744 4722->4735 4723->4631 4724->4631 4745 6c90c4d2-6c90c4fa call 6c902a20 call 6c902a30 4724->4745 4725->4741 4726->4710 4727->4631 4747 6c90c537-6c90c561 4727->4747 4746 6c90c9ca-6c90c9f9 4728->4746 4730->4631 4732->4631 4734->4746 4735->4631 4736->4631 4737->4631 4738->4704 4739->4707 4740->4631 4741->4631 4743->4746 4744->4710 4745->4631 4746->4631 4747->4631 4751->4631
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: @*Z$@*Z
                                                                                                • API String ID: 0-2842812045
                                                                                                • Opcode ID: 3a340119d743e11c0066bff81caebca110e0c5c6ce677ebb81ac1c507997acd5
                                                                                                • Instruction ID: 72bade2eefacdda30dd740a8feee5f20233e747e992f50c62964be4f1ff86ac6
                                                                                                • Opcode Fuzzy Hash: 3a340119d743e11c0066bff81caebca110e0c5c6ce677ebb81ac1c507997acd5
                                                                                                • Instruction Fuzzy Hash: 2B426574A093428FCB14DF28C49166ABBE1BB89308F644E6EF49AD7761D331D945CB23
                                                                                                Function 6C94F015 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 4755 6c94f015-6c94f029 call 6c954c92 4758 6c94f02f-6c94f037 4755->4758 4759 6c94f02b-6c94f02d 4755->4759 4760 6c94f042-6c94f045 4758->4760 4761 6c94f039-6c94f040 4758->4761 4762 6c94f07d-6c94f09d call 6c954e0f 4759->4762 4764 6c94f047-6c94f04b 4760->4764 4765 6c94f063-6c94f073 call 6c954c92 CloseHandle 4760->4765 4761->4760 4766 6c94f04d-6c94f061 call 6c954c92 * 2 4761->4766 4772 6c94f09f-6c94f0a9 call 6c9430e2 4762->4772 4773 6c94f0ab 4762->4773 4764->4765 4764->4766 4765->4759 4776 6c94f075-6c94f07b GetLastError 4765->4776 4766->4759 4766->4765 4774 6c94f0ad-6c94f0b0 4772->4774 4773->4774 4776->4762
                                                                                                APIs
                                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,?,6C95794F), ref: 6C94F06B
                                                                                                • GetLastError.KERNEL32(?,00000000,?,6C95794F), ref: 6C94F075
                                                                                                • __dosmaperr.LIBCMT ref: 6C94F0A0
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                • String ID:
                                                                                                • API String ID: 2583163307-0
                                                                                                • Opcode ID: 9de9d1c93d064c0c1f4c8361ac2878ee98298abdcf75bde13abe18ac0cb2589f
                                                                                                • Instruction ID: 695c193581f86eb4709a2f54511e52775e0726c414777da36e82ba4436619596
                                                                                                • Opcode Fuzzy Hash: 9de9d1c93d064c0c1f4c8361ac2878ee98298abdcf75bde13abe18ac0cb2589f
                                                                                                • Instruction Fuzzy Hash: 0A016B3370522196D7145239D8447EE276D8BE373DF29C749E928CBBC0DF64D8554190
                                                                                                Function 6C94428C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 5000 6c94428c-6c944297 5001 6c9442ae-6c9442bb 5000->5001 5002 6c944299-6c9442ac call 6c9430bc call 6c943810 5000->5002 5003 6c9442f6-6c9442ff call 6c94e565 5001->5003 5004 6c9442bd-6c9442d2 call 6c9443a9 call 6c94be2e call 6c94d350 call 6c94ef88 5001->5004 5013 6c944300-6c944302 5002->5013 5003->5013 5019 6c9442d7-6c9442dc 5004->5019 5020 6c9442e3-6c9442e7 5019->5020 5021 6c9442de-6c9442e1 5019->5021 5020->5003 5022 6c9442e9-6c9442f5 call 6c947eab 5020->5022 5021->5003 5022->5003
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 8Q
                                                                                                • API String ID: 0-4022487301
                                                                                                • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                                                                                • Instruction ID: febe13077cf31bf8cbc4c096dce1f54aa01cf20bf9e4315d5e5f70089a0b7455
                                                                                                • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                                                                                • Instruction Fuzzy Hash: A5F0F4329016245AD7215F799C00BCB33A99FB237CF20CB15E92493FD0DB30D50A8AE1
                                                                                                Function 6C939050 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C9391A4
                                                                                                • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C9391E4
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: Ios_base_dtorstd::ios_base::_
                                                                                                • String ID:
                                                                                                • API String ID: 323602529-0
                                                                                                • Opcode ID: 0ece9b22003ff90b04a810b0cd1d7b4266e64df7305e5f14eccb64b6d7cf0151
                                                                                                • Instruction ID: 6fa5b8ee433a7b183997d2d7fd4b3fe379013c5e252858db2aeba0fd82edfd37
                                                                                                • Opcode Fuzzy Hash: 0ece9b22003ff90b04a810b0cd1d7b4266e64df7305e5f14eccb64b6d7cf0151
                                                                                                • Instruction Fuzzy Hash: F5511471601B00DBD725CF25C988BA6BBE4BB09718F448A1CD4AA4BB91DB35F949CB80
                                                                                                Function 6C94262F Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(6C969DD0,0000000C), ref: 6C942642
                                                                                                • ExitThread.KERNEL32 ref: 6C942649
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorExitLastThread
                                                                                                • String ID:
                                                                                                • API String ID: 1611280651-0
                                                                                                • Opcode ID: 9d1c0b42fda882f1ecbc7e346c3c9e6e3881aab4019f37ec2349d0a55310e777
                                                                                                • Instruction ID: eacf79f2599023de6bd0a52fcaec00d38ef84c8142bc84807d2bee8f4563c553
                                                                                                • Opcode Fuzzy Hash: 9d1c0b42fda882f1ecbc7e346c3c9e6e3881aab4019f37ec2349d0a55310e777
                                                                                                • Instruction Fuzzy Hash: A4F0C271A04604AFDB049B71C84DAAE7B74FF61304F248659E005D7BD1DF74E945CBA1
                                                                                                Function 6C94E662 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: __wsopen_s
                                                                                                • String ID:
                                                                                                • API String ID: 3347428461-0
                                                                                                • Opcode ID: 5b45b09bfcc4642eb23e7da97bf2325e9d64bd91b36207c434f926c227129de6
                                                                                                • Instruction ID: a2ca16244ce950fbb0bb34ace94de0edaa2b84ae1486abf5f713445b58708160
                                                                                                • Opcode Fuzzy Hash: 5b45b09bfcc4642eb23e7da97bf2325e9d64bd91b36207c434f926c227129de6
                                                                                                • Instruction Fuzzy Hash: 4A118C71A0420AAFCF05CF58E94499B7BF8EF48308F1180A9F808EB341D630ED11CBA5
                                                                                                Function 6C9576EE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: _free
                                                                                                • String ID:
                                                                                                • API String ID: 269201875-0
                                                                                                • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                                                                                • Instruction ID: 54119b97f7bfd4ff034d3d13c9dd8751b3a0943e56e4413e28287804c0e60855
                                                                                                • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                                                                                • Instruction Fuzzy Hash: D8014F72C1115DAFCF01DFA89C04AEE7FB5AF28214F548165E924E2260E731CA24DB91
                                                                                                Function 6C957B47 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,00000000,?,6C957805,?,?,00000000,?,6C957805,00000000,0000000C), ref: 6C957B64
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateFile
                                                                                                • String ID:
                                                                                                • API String ID: 823142352-0
                                                                                                • Opcode ID: 9c41f6adba1566c80ed38c6ae0709aa88260d07b0770d1a9cf0e4bfc8b6e5e7f
                                                                                                • Instruction ID: acdb6cc762b42497ad83f67c6c56daf4a1be74f5a8730e4e7060b3e751c78396
                                                                                                • Opcode Fuzzy Hash: 9c41f6adba1566c80ed38c6ae0709aa88260d07b0770d1a9cf0e4bfc8b6e5e7f
                                                                                                • Instruction Fuzzy Hash: ADD06C3210014DBBEF028E95DC06EDA3BAAFB48715F114000BA1856060C732E861AB90
                                                                                                Function 6C8083A0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                                                                                • Instruction ID: e01d896260bd25bcd69ccbe86a80aa604a75ae08c9365dafb2b0077e3726cd13
                                                                                                • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                                                                                • Instruction Fuzzy Hash:

                                                                                                Non-executed Functions

                                                                                                Function 6C986092 Relevance: 21.8, APIs: 5, Strings: 6, Instructions: 2537COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 6C986097
                                                                                                  • Part of subcall function 6C9891D6: __EH_prolog.LIBCMT ref: 6C9891DB
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: $ $*$0UJ$@$@
                                                                                                • API String ID: 3519838083-862571645
                                                                                                • Opcode ID: e22172b2180ba6d381767f152ec73fcbe70747ea8cb959dd0ada97f8ed321326
                                                                                                • Instruction ID: 91b9be5162f4a0389e7086c482cf7a6cb0aba6c5f46394744266f11cbc70e6b4
                                                                                                • Opcode Fuzzy Hash: e22172b2180ba6d381767f152ec73fcbe70747ea8cb959dd0ada97f8ed321326
                                                                                                • Instruction Fuzzy Hash: EB339331E022599FDF15CF64C850BEDBBB5AF65308F1084A9E409ABA90DB31DE89CF51
                                                                                                Function 6C9D889F Relevance: 15.6, APIs: 6, Strings: 2, Instructions: 1591COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 6C9D88A4
                                                                                                • __aulldiv.LIBCMT ref: 6C9D8C4A
                                                                                                • __aulldiv.LIBCMT ref: 6C9D8C78
                                                                                                • __aulldiv.LIBCMT ref: 6C9D8D18
                                                                                                  • Part of subcall function 6C9DA36D: __EH_prolog.LIBCMT ref: 6C9DA372
                                                                                                  • Part of subcall function 6C9DA40E: __EH_prolog.LIBCMT ref: 6C9DA413
                                                                                                  • Part of subcall function 6C9D9E78: __EH_prolog.LIBCMT ref: 6C9D9E7D
                                                                                                  • Part of subcall function 6C9D424A: __EH_prolog.LIBCMT ref: 6C9D424F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog$__aulldiv
                                                                                                • String ID: L$b
                                                                                                • API String ID: 604474441-3566554212
                                                                                                • Opcode ID: d9657c234f8b039fc43015c1601217ec1c14bdfa2872b48e6b05b85763b47a84
                                                                                                • Instruction ID: 26df073cd5f70972d81080fbd91210a500b4e75ab9582c8347c326d0fdca83ac
                                                                                                • Opcode Fuzzy Hash: d9657c234f8b039fc43015c1601217ec1c14bdfa2872b48e6b05b85763b47a84
                                                                                                • Instruction Fuzzy Hash: AAE29E31D01689DFCF15DFA4C990ADCBBB5AF25308F15809AD449B7B81DB30AE89CB61
                                                                                                Function 6C934860 Relevance: 11.0, APIs: 3, Strings: 1, Instructions: 4048COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: _strlen
                                                                                                • String ID: C
                                                                                                • API String ID: 4218353326-4157497815
                                                                                                • Opcode ID: e2da8f67ba6e6db5e706b021ca568af2c04a94ff5e79e80201c850704a7a374a
                                                                                                • Instruction ID: 2234a034bdb227e121a9209aa88de4cc9b8d46a5ed3cd9fb3513c594508fc728
                                                                                                • Opcode Fuzzy Hash: e2da8f67ba6e6db5e706b021ca568af2c04a94ff5e79e80201c850704a7a374a
                                                                                                • Instruction Fuzzy Hash: A5730671644B018FC728CF29C8D0AA5B7F2BF953187198B6DC09B87A95EB74F54ACB40
                                                                                                Function 6C939450 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32 ref: 6C93945A
                                                                                                • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C939466
                                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C939474
                                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C93949B
                                                                                                • NtInitiatePowerAction.NTDLL ref: 6C9394AF
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                                                                                                • String ID: SeShutdownPrivilege
                                                                                                • API String ID: 3256374457-3733053543
                                                                                                • Opcode ID: b55ddd1ed626c0c7343f90640a6f17eaf37357a16de89b158449bdaa76054a70
                                                                                                • Instruction ID: 702ea9c5a82bb12eb9df72f1874ab25432d0771aa00a2f4f8da1fb21756f77c3
                                                                                                • Opcode Fuzzy Hash: b55ddd1ed626c0c7343f90640a6f17eaf37357a16de89b158449bdaa76054a70
                                                                                                • Instruction Fuzzy Hash: 94F0BB70644305EBEB146F24DE1EB9A7BB4EF45705F008508F949D70C1D7706985CBA2
                                                                                                Function 6C7B1950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: \j`7$\j`7$j
                                                                                                • API String ID: 0-3644614255
                                                                                                • Opcode ID: 97820282be39f86ae09d941f13f3b1bc7d411e621cafb75af8c0acacae6c2c16
                                                                                                • Instruction ID: c7964459b6233df8bee15e80ec33021b310db70fb991bba51193d3a49c666960
                                                                                                • Opcode Fuzzy Hash: 97820282be39f86ae09d941f13f3b1bc7d411e621cafb75af8c0acacae6c2c16
                                                                                                • Instruction Fuzzy Hash: A642337560D3828FCB24CF68C58065ABBE1BBC9354F248A2EE599E7760D334D849CB53
                                                                                                Function 6C9CB4AC Relevance: 8.7, APIs: 1, Strings: 3, Instructions: 1656COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 6C9CB4B1
                                                                                                  • Part of subcall function 6C9CC93B: __EH_prolog.LIBCMT ref: 6C9CC940
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: 1$`)K$h)K
                                                                                                • API String ID: 3519838083-3935664338
                                                                                                • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                                                                                • Instruction ID: 66f38d289247463e1cf7e3174e34b533ed1845da57c3fd0c8b526e44e6d5e80b
                                                                                                • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                                                                                • Instruction Fuzzy Hash: FBF27B70A04248DFDF11DBA8C884BDDBBB5AF59308F2440D9E449AB781DB75DA85CF22
                                                                                                Function 6C9BDEEF Relevance: 8.3, APIs: 1, Strings: 2, Instructions: 3058COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 6C9BDEF4
                                                                                                  • Part of subcall function 6C9C1622: __EH_prolog.LIBCMT ref: 6C9C1627
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: $h%K
                                                                                                • API String ID: 3519838083-1737110039
                                                                                                • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                                                                                • Instruction ID: 876ef6f2afee31715accaf6e4488c2dd069c704d14a8153ce92556c21b0e42d4
                                                                                                • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                                                                                • Instruction Fuzzy Hash: 5E538C30901299EFDB15CBA4C984BEDBBB8AF29308F1440D9D449A7791DB70DE89CF52
                                                                                                Function 6C999CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 6C999CE5
                                                                                                  • Part of subcall function 6C96FC2A: __EH_prolog.LIBCMT ref: 6C96FC2F
                                                                                                  • Part of subcall function 6C9716A6: __EH_prolog.LIBCMT ref: 6C9716AB
                                                                                                  • Part of subcall function 6C999A0E: __EH_prolog.LIBCMT ref: 6C999A13
                                                                                                  • Part of subcall function 6C999837: __EH_prolog.LIBCMT ref: 6C99983C
                                                                                                  • Part of subcall function 6C99D143: __EH_prolog.LIBCMT ref: 6C99D148
                                                                                                  • Part of subcall function 6C99D143: ctype.LIBCPMT ref: 6C99D16C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog$ctype
                                                                                                • String ID:
                                                                                                • API String ID: 1039218491-3916222277
                                                                                                • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                                                                                • Instruction ID: 6f8e79a52aebda5641931d1056e917b97127e8eadf1baaa56ba345188fb8960a
                                                                                                • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                                                                                • Instruction Fuzzy Hash: 85039B31805288DFDF25DBA4C894BDCBBB4AF35308F288099D44967B91DB34DB89DB61
                                                                                                Function 6C9C3A52 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1212COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: W
                                                                                                • API String ID: 3519838083-655174618
                                                                                                • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                                                                                • Instruction ID: ec17fec0be967bc3b8d1eb4d357ed22690e4449b4d7c0dad9b68a92c2fc22cb9
                                                                                                • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                                                                                • Instruction Fuzzy Hash: 0AB25774A01259DFDB01CFA8C588BADBBB8BF59308F244099E845AB782C775D941CF62
                                                                                                Function 6C943871 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6C943969
                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6C943973
                                                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6C943980
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                • String ID:
                                                                                                • API String ID: 3906539128-0
                                                                                                • Opcode ID: 4346ac1b8132e71c2e9617b392cb79a06b5721a2edb9cead0e8a6fa3fa13cff2
                                                                                                • Instruction ID: 0aa7231aa27fc6d52234b83573267381169f429010f9ff1ed4178314ab7a25c2
                                                                                                • Opcode Fuzzy Hash: 4346ac1b8132e71c2e9617b392cb79a06b5721a2edb9cead0e8a6fa3fa13cff2
                                                                                                • Instruction Fuzzy Hash: 4831D474901228DBCB21DF69D988BCDBBB8BF18314F6055EAE41CA7390E7309B858F44
                                                                                                Function 6C94286D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(00000000,?,6C942925,6C93D339,00000003,00000000,6C93D339,00000000), ref: 6C94288F
                                                                                                • TerminateProcess.KERNEL32(00000000,?,6C942925,6C93D339,00000003,00000000,6C93D339,00000000), ref: 6C942896
                                                                                                • ExitProcess.KERNEL32 ref: 6C9428A8
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: Process$CurrentExitTerminate
                                                                                                • String ID:
                                                                                                • API String ID: 1703294689-0
                                                                                                • Opcode ID: 5137ba5b2f50fb46da1ead0f7a41bad85d74b57b14d3d042742c3850f3aafe9c
                                                                                                • Instruction ID: 2f8d7736eb174717bec5e3f6d722095d735993fe54cb03ca64d00d1bd47979cd
                                                                                                • Opcode Fuzzy Hash: 5137ba5b2f50fb46da1ead0f7a41bad85d74b57b14d3d042742c3850f3aafe9c
                                                                                                • Instruction Fuzzy Hash: 10E0EC31508508AFDF016F66C80CAAD3F79FF65755B218868F919C6761DB3AE982CB80
                                                                                                Function 6C9B25EC Relevance: 4.5, APIs: 1, Strings: 1, Instructions: 995COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID:
                                                                                                • API String ID: 3519838083-3916222277
                                                                                                • Opcode ID: 6283ffce90d7722d82f06bf6062908a4dbdb23c6aa848be1631664cf1bbb550b
                                                                                                • Instruction ID: 63c6c955677c40a3c6f7774f9cdc09d3f57feb10887446bc7f5f3690b6e27d27
                                                                                                • Opcode Fuzzy Hash: 6283ffce90d7722d82f06bf6062908a4dbdb23c6aa848be1631664cf1bbb550b
                                                                                                • Instruction Fuzzy Hash: 02927D30901649EFDB05CFA8C888BAEBBB5FF15308F244199E815BB791CB74E945CB61
                                                                                                Function 6C9C4F11 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 511COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID:
                                                                                                • API String ID: 3519838083-3916222277
                                                                                                • Opcode ID: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                                                                                                • Instruction ID: e660b1a061b7bf79f3405ef04b80a7381ff6fd87f56037358b839b85de7a1ff9
                                                                                                • Opcode Fuzzy Hash: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                                                                                                • Instruction Fuzzy Hash: 6B225770A002099FDB18CFA9C484BADBBF4FF58308F108559E8599BB91D774E945CF92
                                                                                                Function 6C9B7896 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 333COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 6C9B789B
                                                                                                  • Part of subcall function 6C9B8FC9: __EH_prolog.LIBCMT ref: 6C9B8FCE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: @ K
                                                                                                • API String ID: 3519838083-4216449128
                                                                                                • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                                                                                • Instruction ID: 9f6c01490054c64c3e725284dee4d19af0a5764e32f637af23f8ed796c5776ac
                                                                                                • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                                                                                • Instruction Fuzzy Hash: DDD1BF30E04215AFDB14CFA4C490BAFB7BABF54318F15866AD405BBB84CB70D985CB61
                                                                                                Function 6C96BEA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: x=J
                                                                                                • API String ID: 3519838083-1497497802
                                                                                                • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                                                                                • Instruction ID: 3f317117d5162007180a35525e8056b8ef0e70f9ae66190ddfdc26673ea0edaf
                                                                                                • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                                                                                • Instruction Fuzzy Hash: F191D331D01149DBEF04EFA6D8909EDB775AF25348F20806AF85167ED1EB31DA89CB90
                                                                                                Function 6C93A133 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C93AFA0
                                                                                                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C93B7C3
                                                                                                  • Part of subcall function 6C93CA69: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C93B7AC,00000000,?,?,?,6C93B7AC,?,6C96853C), ref: 6C93CAC9
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                                                                                                • String ID:
                                                                                                • API String ID: 915016180-0
                                                                                                • Opcode ID: 25b737b22ea63dbd76c24f354934b0342280302b3e473695d06c3969c1f6ffdc
                                                                                                • Instruction ID: 384563b363bfa29acfc6ced91173b8ffda0ee71c107c955ae3fde7d68c310fcd
                                                                                                • Opcode Fuzzy Hash: 25b737b22ea63dbd76c24f354934b0342280302b3e473695d06c3969c1f6ffdc
                                                                                                • Instruction Fuzzy Hash: D2B19B71E04B1A9BDB18CF65C9A169ABBF4FB09318F20D12AD819E7780D334D645CF90
                                                                                                Function 6C96B972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: @4J$DsL
                                                                                                • API String ID: 0-2004129199
                                                                                                • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                                                                                • Instruction ID: cbf9c500b1ad8ee5254a428adc299f1c51aa42ec1b474549eed31b4d2ed3ab50
                                                                                                • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                                                                                • Instruction Fuzzy Hash: 41216F377A49564BD74CCA28EC33AB92680E744309B89527EE94BCB7D1DE5D9800C648
                                                                                                Function 6C98840A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 6C98840F
                                                                                                  • Part of subcall function 6C989137: __EH_prolog.LIBCMT ref: 6C98913C
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID:
                                                                                                • API String ID: 3519838083-0
                                                                                                • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                                                                                • Instruction ID: 1865b338a625467d26cb95b124cee8f0d68f08e244a1b71cabc51912397be2bd
                                                                                                • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                                                                                • Instruction Fuzzy Hash: 15628A71906219CFDF19CFA4C894BEDBBB9BF14308F14485AE815ABA80D774DA44CFA4
                                                                                                Function 6C9E0AD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: YA1
                                                                                                • API String ID: 0-613462611
                                                                                                • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                                                                                • Instruction ID: abbed23f1b98e26b3a323071473a9e3506528dae049846eea953cc10eb826251
                                                                                                • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                                                                                • Instruction Fuzzy Hash: 1D42B3706093818FD316CF28C4906AABBE2FFED308F19596DE4D58B742DA71D946CB42
                                                                                                Function 6CA067C0 Relevance: 1.9, APIs: 1, Instructions: 356COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: __aulldiv
                                                                                                • String ID:
                                                                                                • API String ID: 3732870572-0
                                                                                                • Opcode ID: a13d6ee194fb01fface67b9907b125463793f568477540394d21f6f384e52076
                                                                                                • Instruction ID: f16be4ae6892aec051487391cbc838bdcd49eb6cecd8589b3e011275a47528d2
                                                                                                • Opcode Fuzzy Hash: a13d6ee194fb01fface67b9907b125463793f568477540394d21f6f384e52076
                                                                                                • Instruction Fuzzy Hash: C0E17C716083458BC724CF29D880AAAB7F5BFC8358F188A2EFC59CB755D7309985CB91
                                                                                                Function 6C9BAD43 Relevance: 1.8, APIs: 1, Instructions: 346COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID:
                                                                                                • API String ID: 3519838083-0
                                                                                                • Opcode ID: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                                                                                • Instruction ID: 861139df5f05c8a3627902dddb5e21b95dd312d946e76c9489d877de8fd8351a
                                                                                                • Opcode Fuzzy Hash: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                                                                                • Instruction Fuzzy Hash: 62F13670905249EFCB14CFA5C5D0BEEBBB1BF24308F148169D409ABB91DB70EA99CB50
                                                                                                Function 6CA08D90 Relevance: 1.8, Strings: 1, Instructions: 513COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: @
                                                                                                • API String ID: 0-2766056989
                                                                                                • Opcode ID: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                                                                                • Instruction ID: 4bf1025819af907f9000678a4c10786741e1512f2d2dd8a0bf0a7e47d6e36964
                                                                                                • Opcode Fuzzy Hash: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                                                                                • Instruction Fuzzy Hash: CC324AB1A083058FC318CF5AC48495AF7E2BFCC314F468A5DE98997355DB74AA09CF86
                                                                                                Function 6C973BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: __aullrem
                                                                                                • String ID:
                                                                                                • API String ID: 3758378126-0
                                                                                                • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                                                                                • Instruction ID: 2811a92a37fee385f214b17aaffd9731412db19a1d2a50df4c40befd5f50aeae
                                                                                                • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                                                                                • Instruction Fuzzy Hash: 4951E971A092459BD710CF6AC4C12EDFBF6EF79214F18C05EE88897242D27A9D9AC760
                                                                                                Function 6C9ECE80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID: 0-3916222277
                                                                                                • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                                                                                • Instruction ID: 2bdd88bd663187ef954d00f825647d462c8c923e934f29eab82396d1a0083f79
                                                                                                • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                                                                                • Instruction Fuzzy Hash: 8602BD326093818BD326CF28C4907AEBBE2BFE8708F144A2DE4D597B91C775D945CB42
                                                                                                Function 6CA09999 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: @
                                                                                                • API String ID: 0-2766056989
                                                                                                • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                                                                                • Instruction ID: 5ed4a42905fdf88cfa3c78b753f3453cf0f36dff92515acd446929c08af26bc2
                                                                                                • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                                                                                • Instruction Fuzzy Hash: 16D13E729083148FC758DF4AD44005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                                                                                                Function 6CA47A46 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: B
                                                                                                • API String ID: 0-1255198513
                                                                                                • Opcode ID: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                                                                                                • Instruction ID: 39ff04f87d018e13a65443d35605ae764304aec54fc03dd0cfa373231513088d
                                                                                                • Opcode Fuzzy Hash: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                                                                                                • Instruction Fuzzy Hash: 923106315087558BD714DF28D884AABB3E2FBC4325F60CA3DD89ACBA94E7745415CF41
                                                                                                Function 6C9DDB90 Relevance: .9, Instructions: 940COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                                                                                • Instruction ID: 1e68d29f0c05dfaaa5a5698f6524476ced3716002d38d9a274977721a62798e0
                                                                                                • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                                                                                • Instruction Fuzzy Hash: 5C729F766046138FD708CF28C490268FBE1FF88314B5A86ADD95AEB742D770E895CBC0
                                                                                                Function 6C9FD930 Relevance: .7, Instructions: 740COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                                                                                • Instruction ID: 3b4ec1db8f24de96ba2aeb27bc7a9cd65e039510bc2c3a10fcd9b6541ad73295
                                                                                                • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                                                                                • Instruction Fuzzy Hash: 336207B1A083458FC714CF1AC58055AFBF5BFC8748F148A2EE8A587715D770E946CB92
                                                                                                Function 6C9FB950 Relevance: .7, Instructions: 697COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                                                                                • Instruction ID: 58eef6cec6e81037d07dec1ac709519cc50b7fb54229738fd23a53a7147719d1
                                                                                                • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                                                                                • Instruction Fuzzy Hash: 25427071604B468FD324DF69C8907AAB3F2FB84314F044A2DE4A6C7B94E774E54ACB41
                                                                                                Function 6C9EA1F0 Relevance: .6, Instructions: 634COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: bf70cfe04b665dc64369caa9c5f3f6957600806d567f090f737c69cac13e6594
                                                                                                • Instruction ID: 1df735a106e63c8ac57520210ab203587c2ab87a240e2f3e015758bacc77b2f0
                                                                                                • Opcode Fuzzy Hash: bf70cfe04b665dc64369caa9c5f3f6957600806d567f090f737c69cac13e6594
                                                                                                • Instruction Fuzzy Hash: 96329E71A0024A8BDB09CF28C8902EE3BB2FFA9354F15853DEC599B751DB70D955CB90
                                                                                                Function 6C9E6D50 Relevance: .5, Instructions: 547COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                                                                                • Instruction ID: fbbf53ac2d9e954f1411283aba54cfc3cbab5483ccd36f454feb0fee2485dffb
                                                                                                • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                                                                                • Instruction Fuzzy Hash: 2912BF712097468FC719CF28C49066AFBE2FFE8344F54492DE99687B42DB31E845CB52
                                                                                                Function 6C9F7489 Relevance: .5, Instructions: 519COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                                                                                • Instruction ID: a3784752d7469e0f06481b4e54c603d60fcf01dc0bd57e0d68458d53ac5a9543
                                                                                                • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                                                                                • Instruction Fuzzy Hash: 8902C573A4875147D715CE2DC880239BBE3FBC0390F6A4A2EE8A587794DAB0D947C791
                                                                                                Function 6C9F7AA0 Relevance: .5, Instructions: 474COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                                                                                • Instruction ID: 27f8fb221838a70df316ff557506924f147b887af2e73dcfc5d10e26c9b01bdd
                                                                                                • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                                                                                • Instruction Fuzzy Hash: 0D02FB31A083128BD319CE28C490279BBF2FBC4355F190B2EE4A6D7B54D774D956CB92
                                                                                                Function 6C9E2A50 Relevance: .5, Instructions: 453COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                                                                                • Instruction ID: 9fccc7bf3f5a35ce5dabac40dccc7b3c3d03d13f6832dd92aca102a4a96e4b41
                                                                                                • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                                                                                • Instruction Fuzzy Hash: 2EF1213260468A8BEB25CE28D8547EEB7E2FFD9304F58453DD889CBB40DB35D54A8781
                                                                                                Function 6C9E9D10 Relevance: .4, Instructions: 429COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                                                                                • Instruction ID: ba63ec4a4c42c454a89b40477662cac72dda21e6fcb20bbe1cd5d30552f08ccb
                                                                                                • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                                                                                • Instruction Fuzzy Hash: 92E11F71704B018BE325CF28D4A03EAB7E2EFD8314F554A2DD69687B81DB35E50ACB81
                                                                                                Function 6CA01BC0 Relevance: .4, Instructions: 399COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                                                                                • Instruction ID: be7b50f293e8b2966ad0bec728337a17de45b8256e5231745c0747e1fcaa4e96
                                                                                                • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                                                                                • Instruction Fuzzy Hash: CAF1AF706087518FC328CF2DD490266FBF2BF89349F184A6EE1D68BA91D339E594CB51
                                                                                                Function 6C9FF8D0 Relevance: .4, Instructions: 383COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                                                                                • Instruction ID: aa37ee794f2ae1a67221d24fa2b462597cf7a701b2a0e11140462575ca80c33b
                                                                                                • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                                                                                • Instruction Fuzzy Hash: A8F1D6705087628FC329CF29C49026AFBF1BF85309F188A6ED5E687B91D339E156CB51
                                                                                                Function 6C9E9900 Relevance: .3, Instructions: 341COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                                                                                • Instruction ID: 0966104122515a78d072ed8b6ed5ac733ede0e8d7501939536c29760144a0744
                                                                                                • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                                                                                • Instruction Fuzzy Hash: E8C1C171604B068BE329DF29C4906EAB7E2EFE8314F158A2DC59B87B45D630E495CB81
                                                                                                Function 6C9F25C0 Relevance: .3, Instructions: 333COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                                                                                • Instruction ID: dd8db759a62ad0367fd94e6b7e1ca2d6b5880cc798e65c51ef858e41cd522890
                                                                                                • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                                                                                • Instruction Fuzzy Hash: 9FD10F71505A568FD318CF1CC4A8336BBE1FF86308F054ABDDAA28B29AD734E516CB50
                                                                                                Function 6CA07DE0 Relevance: .3, Instructions: 333COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                                                                                • Instruction ID: f229433d85fe32566657bc9153fc5446dd384054105c2099452e82202b23145e
                                                                                                • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                                                                                • Instruction Fuzzy Hash: 93E1D6B18047A64FE398EF5CDCA4A3577A1EBC8300F4B427DDA650B392D734A942DB94
                                                                                                Function 6CA84F0A Relevance: .3, Instructions: 332COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                                                                                                • Instruction ID: b321174e5ac085564fe97a3a444112bc276a6eca04a63441e48a17a5587ff5ad
                                                                                                • Opcode Fuzzy Hash: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                                                                                                • Instruction Fuzzy Hash: D0B1B7366087528BD318DE7CD8508FB73E2EBC1320F54863DE59AC79C4DB35991A8B81
                                                                                                Function 6CA07870 Relevance: .3, Instructions: 298COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                                                                                • Instruction ID: a446d756a4c3de44206fbd85d76f827566b94a6f9293b45b555abc80ddf0adde
                                                                                                • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                                                                                • Instruction Fuzzy Hash: 2ED1F7B1848B9A5FD394EF4DEC81A357762AF88301F4A8239DB600B753D634BB12D794
                                                                                                Function 6C9E1810 Relevance: .3, Instructions: 296COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                                                                                • Instruction ID: afa009de22e1a9ef5bd5b7915ef32e5eea3fee4e5146870a8836a168a2ed2af8
                                                                                                • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                                                                                • Instruction Fuzzy Hash: CAB1F231305B058BD326DF79C890BEAB7E5BFA9308F04452DC5AA87752EF30E5498790
                                                                                                Function 6C9E4AA0 Relevance: .3, Instructions: 291COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                                                                                • Instruction ID: 1c7e1e8269c814e3bc111cafdc1dfcd6917f67a57b2d46d00e1702ccc4ba89b4
                                                                                                • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                                                                                • Instruction Fuzzy Hash: 4CB1AB756087028BC305DF69C8806ABF7E2FFEC304F14892DE49987711E771A95ACB95
                                                                                                Function 6C9EC9F0 Relevance: .3, Instructions: 287COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                                                                                • Instruction ID: d132b8338301db8908d11df75019028395b89c068db53105721c93ed90b240cd
                                                                                                • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                                                                                • Instruction Fuzzy Hash: C9A1C67160C3418FC316DF2DC4906AABFE1AFE9348F584A2DE4DA87741D631E94ACB42
                                                                                                Function 6C9EC6E0 Relevance: .2, Instructions: 223COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                                                                                • Instruction ID: 05b829b065ea3e040f19bb134146da156c3ac36da032bdf88bf047fc19a8ee2d
                                                                                                • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                                                                                • Instruction Fuzzy Hash: 3181B035A047068FC321DF29C180256BBE1FFAD714F288AADC5D99B711E772E946CB81
                                                                                                Function 6C9FA8C8 Relevance: .2, Instructions: 216COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: bad25785083197e856f7efe8fa90cb69a131f3ade8fb02bcfdd4a6e94dde6a99
                                                                                                • Instruction ID: 6e6c4c5d5124b3cd3a116b78c9534c33d0d69944758fafe540f13714c74118de
                                                                                                • Opcode Fuzzy Hash: bad25785083197e856f7efe8fa90cb69a131f3ade8fb02bcfdd4a6e94dde6a99
                                                                                                • Instruction Fuzzy Hash: CFA1AE7190824A8FD729CF19D490AAEB7F2FF84308F188A2DE8968B351D735E556CF41
                                                                                                Function 6CAA3881 Relevance: .2, Instructions: 184COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                                                                                                • Instruction ID: ffb0c6ca2903c403b368c3d588a12a9bcbb98dc772d2a160307868534aa6bb3a
                                                                                                • Opcode Fuzzy Hash: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                                                                                                • Instruction Fuzzy Hash: 62519736A126124BC30CDA3CD8615E73392EBC5370B18C73EE156C79D4EB79984BC600
                                                                                                Function 6C983B66 Relevance: .2, Instructions: 167COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                                                                                • Instruction ID: b0e02002706c83787c247f36af5520cc84c3d37e76fcb0892e1fc9c2856e34be
                                                                                                • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                                                                                • Instruction Fuzzy Hash: 7651BD72F016099BDB08CEA8D9916ADB7F6FB88304F24856DD415E7781E774DA41CB40
                                                                                                Function 6CB0B06F Relevance: .2, Instructions: 155COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                                                                                                • Instruction ID: d8ffd722cf86bc3a1b5ad35d5892f11df0b9bc0ca31e60baa152eb93bf0aaaa4
                                                                                                • Opcode Fuzzy Hash: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                                                                                                • Instruction Fuzzy Hash: 3751683550C7068BC314DF6CE8409EAB3A2AFC5320F618B3EE499CB8D1EB755529CB46
                                                                                                Function 6C9DE650 Relevance: .2, Instructions: 154COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a5df0ff16b053d8fcfcdee403e066c8bbf8aa7f46747348a699df34f7397b1a9
                                                                                                • Instruction ID: aa5c3c3e428df43660f89d8cb5bba4bdb6dc41fb098013764a75d6a5aed0e18e
                                                                                                • Opcode Fuzzy Hash: a5df0ff16b053d8fcfcdee403e066c8bbf8aa7f46747348a699df34f7397b1a9
                                                                                                • Instruction Fuzzy Hash: 66519F30A087458BD350DF1EC88060AF7E5FF98708F658A6DE998A7711D771E906CBD1
                                                                                                Function 6C985EC9 Relevance: .1, Instructions: 136COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                                                                                • Instruction ID: d417a08ba0c19c2da809ca3562d014147de93f1a14092fad2aff907b708a4eb1
                                                                                                • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                                                                                • Instruction Fuzzy Hash: ED3114277A540113D70CCD3BCC1279FA15B5BD422A75ECF396C06CEF55D52CC8164154
                                                                                                Function 6C9F2050 Relevance: .1, Instructions: 123COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9e60619b53f5733759f851c7e89353584e6ca2cea002716f3001e8b4c6fadb46
                                                                                                • Instruction ID: 53bf5f62f2e648df7c26499c836623a038932965b47556754547772e6f915218
                                                                                                • Opcode Fuzzy Hash: 9e60619b53f5733759f851c7e89353584e6ca2cea002716f3001e8b4c6fadb46
                                                                                                • Instruction Fuzzy Hash: 9C31F873704E8A4BF301855ACD4C36A7227DBC2378F1A8734DA7687AE8DA71D6478349
                                                                                                Function 6C9F1EF0 Relevance: .1, Instructions: 123COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                                                                                • Instruction ID: 4409aa039645bc84ae927f6b5c0213be4d344512d8ab8923da4a17ae3e6cfe76
                                                                                                • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                                                                                • Instruction Fuzzy Hash: 873105B3504E464AF300C52AC9883667227DBC3368F698369D97697AECCB71D957C380
                                                                                                Function 6CABCB30 Relevance: .1, Instructions: 118COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ca3d3558a34540705294eccf7bd1623b7630746854fd36d8ae50977da381c372
                                                                                                • Instruction ID: 12af9413255b03bff91d50e4243003bee357a097d52f10931e02a90dc3ffb515
                                                                                                • Opcode Fuzzy Hash: ca3d3558a34540705294eccf7bd1623b7630746854fd36d8ae50977da381c372
                                                                                                • Instruction Fuzzy Hash: F4419C72A5871A8FC304DE58EC804FAB3E6EFC8310F904B3D9965972D5D771691AC390
                                                                                                Function 6C9F9820 Relevance: .1, Instructions: 112COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                                                                                • Instruction ID: 0d816a62f92f1fbc54f5cd2a5e5d21adaf9dbf4103ad04904674a2ba1c3b63fc
                                                                                                • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                                                                                • Instruction Fuzzy Hash: BF41C17290470A8BD704CF19C89056AB3E4FF88358F464A6DED6AA7391E331FA15CB81
                                                                                                Function 6CB18D12 Relevance: .1, Instructions: 97COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                                                                                                • Instruction ID: f8862fcd008d2477beb692cf98c1f083e969828c268bc15c66727a7bd45d5d49
                                                                                                • Opcode Fuzzy Hash: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                                                                                                • Instruction Fuzzy Hash: 68317931A147128BD728CA39D4500ABB3E2EBC5318B54CB2DC0568B589EB75500BCB42
                                                                                                Function 6CA0C700 Relevance: .1, Instructions: 70COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                                                                                • Instruction ID: ceb5efc92fa5e74455782712ee3a945783acd95d0a8734f15256db3d2db9e9f1
                                                                                                • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                                                                                • Instruction Fuzzy Hash: 8A219077320A0647E74C8A38D83737532D0A705318F98A22DEA6BCE2C2D77AC457C385
                                                                                                Function 6C9F0380 Relevance: .1, Instructions: 64COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 64767f10f9c171ab935b0bf025eacf772035bcd2eb799dcdd82e02b09b12ee02
                                                                                                • Instruction ID: ebe4a36106ef66f5ea86a7615010a38c18fd79bbdf403a222891b53721da88c3
                                                                                                • Opcode Fuzzy Hash: 64767f10f9c171ab935b0bf025eacf772035bcd2eb799dcdd82e02b09b12ee02
                                                                                                • Instruction Fuzzy Hash: D02190327193428FC308DF58D88096BBBE6FFC9210F15857DE9948B351C635E906CB91
                                                                                                Function 6C9F0280 Relevance: .1, Instructions: 61COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 48f6a5bdde1c9cea4668397cf668c04db0f725afa69fc77866d080b4e5372864
                                                                                                • Instruction ID: 69e43835ad61a710d6580e14f8e6dda03d7643b202b9e33ab98090b268e8bff9
                                                                                                • Opcode Fuzzy Hash: 48f6a5bdde1c9cea4668397cf668c04db0f725afa69fc77866d080b4e5372864
                                                                                                • Instruction Fuzzy Hash: 11118E722183864BC308CE1DDC90976BBE5FBC9200F24497DE995C7341C625D907DBA5
                                                                                                Function 6CA02640 Relevance: .0, Instructions: 48COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 94bd1a651729923c4c8d3d4bf4c81e233e4e8cf0a286e62590c7b03c1869421d
                                                                                                • Instruction ID: 57a69b88259a0b9865725ec3187fd6f7451095e9ee09c993e781458cdfb65462
                                                                                                • Opcode Fuzzy Hash: 94bd1a651729923c4c8d3d4bf4c81e233e4e8cf0a286e62590c7b03c1869421d
                                                                                                • Instruction Fuzzy Hash: 8801216529628989D781DA79D890788FE80F756207F9CC3F4D0C8CBF42D589C58BC3A1
                                                                                                Function 6C94D456 Relevance: .0, Instructions: 29COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e3b9fa7502d6be9223b34c412815bc4f5cdf8d8641a9945932f07c881aea0f42
                                                                                                • Instruction ID: 054c70e4da473af6fe6140b9aa1944e43b9793c2be4f4ab6461652f6c3ed538e
                                                                                                • Opcode Fuzzy Hash: e3b9fa7502d6be9223b34c412815bc4f5cdf8d8641a9945932f07c881aea0f42
                                                                                                • Instruction Fuzzy Hash: FCF03936A15224ABCB16CA4DC905B8973BCEB45BA9F1181A7F545EB680C6B0EE40C7D4
                                                                                                Function 6C94D425 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                                                                                • Instruction ID: 114ec7cf82afec0f8dc78411b007e2d0e7be34fcb6ce30dba38e30b76d18dde2
                                                                                                • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                                                                                • Instruction Fuzzy Hash: 88E08C32912238EBCB14CB88C904D8AF3ECEB45B14B1180A6F505D3680C674EE00C7D0
                                                                                                Function 6CA0A720 Relevance: .0, Instructions: 16COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                                                                                • Instruction ID: 68167a29ac710baccba3f3314fa212a1f0025bf3712ed2e3a83fbd8f329005f6
                                                                                                • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                                                                                • Instruction Fuzzy Hash: 0AC08CA322810017C312EA25A8C0BAAF6B37360330F26CC2EA0A2F7E43C328C0A48111
                                                                                                Function 6C9A1B50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                                                                                • API String ID: 3519838083-609671
                                                                                                • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                                                                                • Instruction ID: e5a6f4a82ba93fcd64f162f93d4f62a073f27831350a474decc02dc707f3c725
                                                                                                • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                                                                                • Instruction Fuzzy Hash: 84D1A231A04249EFCF00CFE4D980AEDB7B9FF1A308F24451AE055A7A50DB70D94ACB60
                                                                                                Function 6C9CABB3 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 406COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: L$L'K$T'K$\'K$d'K$p'K$)K
                                                                                                • API String ID: 3519838083-3887797823
                                                                                                • Opcode ID: 47b27f50cc51f1a94238cd0256452db9f2d92a2e889979d702001e9d19a1f323
                                                                                                • Instruction ID: dfce341aba44372fac4853613e1630dc7f0d302fce7489c510e9748b304d3c61
                                                                                                • Opcode Fuzzy Hash: 47b27f50cc51f1a94238cd0256452db9f2d92a2e889979d702001e9d19a1f323
                                                                                                • Instruction Fuzzy Hash: F202C570A01249DFDB11CF64C990ADDFBB9BF25318F5481AED055A7A50DB30EA88CB63
                                                                                                Function 6C9B8B6F Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 151COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 6C9B8B74
                                                                                                  • Part of subcall function 6C9B8AC2: __EH_prolog.LIBCMT ref: 6C9B8AC7
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: DJ$H K$L K$P K$T K$X K$\ K
                                                                                                • API String ID: 3519838083-3148776506
                                                                                                • Opcode ID: 1e695b17fc03ab30503818bc101f4fbde075140751d540bd7eda0f269636307e
                                                                                                • Instruction ID: 75e39d5e3476fc5c1e70848dd74f04aa13fab907cde83361fb97341889f46c46
                                                                                                • Opcode Fuzzy Hash: 1e695b17fc03ab30503818bc101f4fbde075140751d540bd7eda0f269636307e
                                                                                                • Instruction Fuzzy Hash: 7051B270901107ABCF18EEA4C480AEFB375ABA930CB14C51BD8617BE80DB74E90AC758
                                                                                                Function 6C9B6CB2 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 347COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: $ $$ K$, K$.$o
                                                                                                • API String ID: 3519838083-1786814033
                                                                                                • Opcode ID: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                                                                                • Instruction ID: 7c424accd0dd464453e5eb95a9443c115abd2f397e1a847e20164d922edae002
                                                                                                • Opcode Fuzzy Hash: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                                                                                • Instruction Fuzzy Hash: 83D1F431D04259ABCF15CFA8C8907EFBBB6BF19308F24426AD455BBA41C771E948CB61
                                                                                                Function 6C93D1C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _ValidateLocalCookies.LIBCMT ref: 6C93D1F7
                                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 6C93D1FF
                                                                                                • _ValidateLocalCookies.LIBCMT ref: 6C93D288
                                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 6C93D2B3
                                                                                                • _ValidateLocalCookies.LIBCMT ref: 6C93D308
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                • String ID: csm
                                                                                                • API String ID: 1170836740-1018135373
                                                                                                • Opcode ID: 3f9939e342816d32d1861a8db7370184979010b59802d480c4f3ff3596627ceb
                                                                                                • Instruction ID: 041249e5c6f065bf5eb29dbe459185b599aca03a1d613860c11750e84130465f
                                                                                                • Opcode Fuzzy Hash: 3f9939e342816d32d1861a8db7370184979010b59802d480c4f3ff3596627ceb
                                                                                                • Instruction Fuzzy Hash: 2041E731A1126D9BCF00CF68C860ADEBBB5BF5532CF108155E82C9BB51D731DA16CB94
                                                                                                Function 6C94A58A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: api-ms-$ext-ms-
                                                                                                • API String ID: 0-537541572
                                                                                                • Opcode ID: d56cc916e1d0850a2f64f09e8c43406e4f7fe06be94b271b0cce68b104f85ee8
                                                                                                • Instruction ID: ed9fd0b5402b168a86c041c226a46e05703393a10ad62df53084dddbb9210fa5
                                                                                                • Opcode Fuzzy Hash: d56cc916e1d0850a2f64f09e8c43406e4f7fe06be94b271b0cce68b104f85ee8
                                                                                                • Instruction Fuzzy Hash: C321BB71E06225EBEB218A699C44E5E37AC9B12768F258634EC15A77C0DE34DC01C7E4
                                                                                                Function 6C94F5A1 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetConsoleCP.KERNEL32(?,6C94E7C0,?), ref: 6C94F5E9
                                                                                                • __fassign.LIBCMT ref: 6C94F7C8
                                                                                                • __fassign.LIBCMT ref: 6C94F7E5
                                                                                                • WriteFile.KERNEL32(?,6C9591A6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C94F82D
                                                                                                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C94F86D
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C94F919
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileWrite__fassign$ConsoleErrorLast
                                                                                                • String ID:
                                                                                                • API String ID: 4031098158-0
                                                                                                • Opcode ID: 8f8b509e2677da87818876b8005411c86944fd1b2de2e2abcbc0cd9e59f52243
                                                                                                • Instruction ID: 0fcd5e4de09d98eeb16dfdfc132109cc6aeeb53b66660e540c9a220fd4c6207c
                                                                                                • Opcode Fuzzy Hash: 8f8b509e2677da87818876b8005411c86944fd1b2de2e2abcbc0cd9e59f52243
                                                                                                • Instruction Fuzzy Hash: B3D1A971E0125A9FDF15CFA8C8909EDBBB5FF09318F28816AE855BB741D730A906CB50
                                                                                                Function 6C802F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 6C802F95
                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 6C802FAF
                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 6C802FD0
                                                                                                • __Getctype.LIBCPMT ref: 6C803084
                                                                                                • std::_Facet_Register.LIBCPMT ref: 6C80309C
                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 6C8030B7
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                                                                                • String ID:
                                                                                                • API String ID: 1102183713-0
                                                                                                • Opcode ID: 6165555e5456b8ef7c02e730cf66d0754d54d149e6a609c30147fb5fea9c3b9b
                                                                                                • Instruction ID: 94fcc7e0a3499938d53b1813f04eab5d5966344446e5e8741b2e4d77414f0a39
                                                                                                • Opcode Fuzzy Hash: 6165555e5456b8ef7c02e730cf66d0754d54d149e6a609c30147fb5fea9c3b9b
                                                                                                • Instruction Fuzzy Hash: 174134B1A01619CFCB24CF95CA54B9EB7B0FF68718F048528D859ABB40DB74E905CBA1
                                                                                                Function 6C977FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: __aulldiv$__aullrem
                                                                                                • String ID:
                                                                                                • API String ID: 2022606265-0
                                                                                                • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                                                                                • Instruction ID: 9546d2e381024a1fe867e03df07c9404a1476aee5b4193bd8d44fec88c0eae0e
                                                                                                • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                                                                                • Instruction Fuzzy Hash: 0D21EE70A02219FEDF248E949D44DEF7A6EEB813ECF208226B52471690D2718DA4D7B5
                                                                                                Function 6C9590FD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 6C9591CD
                                                                                                • _free.LIBCMT ref: 6C9591F6
                                                                                                • SetEndOfFile.KERNEL32(00000000,6C957DDC,00000000,6C94E7C0,?,?,?,?,?,?,?,6C957DDC,6C94E7C0,00000000), ref: 6C959228
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C957DDC,6C94E7C0,00000000,?,?,?,?,00000000,?), ref: 6C959244
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFileLast
                                                                                                • String ID: 8Q
                                                                                                • API String ID: 1547350101-4022487301
                                                                                                • Opcode ID: bb62bd0ee6b4254d6ce3243a4ae2b25b00e85fbc145a388a04fc347ed2cb024a
                                                                                                • Instruction ID: d89e16ed459acf16d9fe564b16e9ae4eeec54d2d5b0ea445b75bfb47d8756e3a
                                                                                                • Opcode Fuzzy Hash: bb62bd0ee6b4254d6ce3243a4ae2b25b00e85fbc145a388a04fc347ed2cb024a
                                                                                                • Instruction Fuzzy Hash: 5A4118B29006059BFB01DBB8CC44BCE3779EF65338F564604E824A7B90DB34C96A4761
                                                                                                Function 6C9C684E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 6C9C6853
                                                                                                  • Part of subcall function 6C9C65DF: __EH_prolog.LIBCMT ref: 6C9C65E4
                                                                                                  • Part of subcall function 6C9C6943: __EH_prolog.LIBCMT ref: 6C9C6948
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: ((K$<(K$L(K$\(K
                                                                                                • API String ID: 3519838083-3238140439
                                                                                                • Opcode ID: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                                                                                                • Instruction ID: 4ee0f8ffe96207b879572c957633073f5f16291192c237839192f92594919a87
                                                                                                • Opcode Fuzzy Hash: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                                                                                                • Instruction Fuzzy Hash: 29214DB0901B54CED724DF6AC5446ABFBF4EF64308F108A1F809687B50DBB4A648CB66
                                                                                                Function 6C94281A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C9428A4,00000000,?,6C942925,6C93D339,00000003,00000000), ref: 6C94282F
                                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C942842
                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,6C9428A4,00000000,?,6C942925,6C93D339,00000003,00000000), ref: 6C942865
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                • API String ID: 4061214504-1276376045
                                                                                                • Opcode ID: af49508b8dd20e98342c264b9373a545c125305550f89788dd81907c1b1e19f4
                                                                                                • Instruction ID: d0e96456fc8ba2b024db2109f8d9846925caddbeb796537dd41a261cacdb64ce
                                                                                                • Opcode Fuzzy Hash: af49508b8dd20e98342c264b9373a545c125305550f89788dd81907c1b1e19f4
                                                                                                • Instruction Fuzzy Hash: 38F08230615519FBEF119B62CD0DB9DBB78FB41359F214074A401F2A90CF34CA41DB90
                                                                                                Function 6C93AA17 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __EH_prolog3.LIBCMT ref: 6C93AA1E
                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 6C93AA29
                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 6C93AA97
                                                                                                  • Part of subcall function 6C93A920: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C93A938
                                                                                                • std::locale::_Setgloballocale.LIBCPMT ref: 6C93AA44
                                                                                                • _Yarn.LIBCPMT ref: 6C93AA5A
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                • String ID:
                                                                                                • API String ID: 1088826258-0
                                                                                                • Opcode ID: 4825e7cda1a8224eaf16597bd8f0f8dbe22bb4c37d4f7cdc3ef25805ee1a219d
                                                                                                • Instruction ID: 83ca848e4031b38b1c44acb147601da47cdce6928df42c87ebae74a950a8384f
                                                                                                • Opcode Fuzzy Hash: 4825e7cda1a8224eaf16597bd8f0f8dbe22bb4c37d4f7cdc3ef25805ee1a219d
                                                                                                • Instruction Fuzzy Hash: D8019E757002228FDF0ADBA08A545BC77B2FFA5204B155048D80A97B80CF34DA06CB91
                                                                                                Function 6C9B9E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: $!$@
                                                                                                • API String ID: 3519838083-2517134481
                                                                                                • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                                                                                • Instruction ID: 2ef25bcfa49f243619640fdb3a9c6dcdf80d4b9db2ee59a6ea58bf8d0b108a1f
                                                                                                • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                                                                                • Instruction Fuzzy Hash: 00126C70E05249EFCB04CFA4C590AEEBBB5FF19308F148069E845ABB51DB35E985CB60
                                                                                                Function 6C985B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog__aulldiv
                                                                                                • String ID: $SJ
                                                                                                • API String ID: 4125985754-3948962906
                                                                                                • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                                                                                • Instruction ID: 951028e69da9131112b00c225edb77cf3948cb2f766f57c788b1c688ad2a3a50
                                                                                                • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                                                                                • Instruction Fuzzy Hash: 31B14EB1E022099FDB14CF55C9805AEBBB5FF58318B60892ED416A7B50D734EA49CF50
                                                                                                Function 6C802020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 6C93AA17: __EH_prolog3.LIBCMT ref: 6C93AA1E
                                                                                                  • Part of subcall function 6C93AA17: std::_Lockit::_Lockit.LIBCPMT ref: 6C93AA29
                                                                                                  • Part of subcall function 6C93AA17: std::locale::_Setgloballocale.LIBCPMT ref: 6C93AA44
                                                                                                  • Part of subcall function 6C93AA17: _Yarn.LIBCPMT ref: 6C93AA5A
                                                                                                  • Part of subcall function 6C93AA17: std::_Lockit::~_Lockit.LIBCPMT ref: 6C93AA97
                                                                                                  • Part of subcall function 6C802F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C802F95
                                                                                                  • Part of subcall function 6C802F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C802FAF
                                                                                                  • Part of subcall function 6C802F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C802FD0
                                                                                                  • Part of subcall function 6C802F60: __Getctype.LIBCPMT ref: 6C803084
                                                                                                  • Part of subcall function 6C802F60: std::_Facet_Register.LIBCPMT ref: 6C80309C
                                                                                                  • Part of subcall function 6C802F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C8030B7
                                                                                                • std::ios_base::_Addstd.LIBCPMT ref: 6C80211B
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                                                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                • API String ID: 3332196525-1866435925
                                                                                                • Opcode ID: c73c2c278070258afa603d4791c8ff0984bf695f6256233b9c5e810f46f9e347
                                                                                                • Instruction ID: 1995c5404988e6ddf376316ac1951d5d6a4a77bd6a0e26b6df64d0d3eee95a5d
                                                                                                • Opcode Fuzzy Hash: c73c2c278070258afa603d4791c8ff0984bf695f6256233b9c5e810f46f9e347
                                                                                                • Instruction Fuzzy Hash: 6841D2B0A003098FEB10CF64CC497AEBBB0FF48314F104668E519AB791E775E985CB90
                                                                                                Function 6C9A0584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: 0$LrJ$x
                                                                                                • API String ID: 3519838083-658305261
                                                                                                • Opcode ID: 95611479d40a215ec944db407e0a8f4bd880271165c87792ba86edb23d6a866c
                                                                                                • Instruction ID: c6a7db5772157c71d767a4cbfaf6decc653ce1ca7ba245bad9247720767723c3
                                                                                                • Opcode Fuzzy Hash: 95611479d40a215ec944db407e0a8f4bd880271165c87792ba86edb23d6a866c
                                                                                                • Instruction Fuzzy Hash: 4F216F32D011599BDF04DBE9C990AEDB7B5EF68308F20055AE41177A80DB75DE09CBA1
                                                                                                Function 6C997EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 6C997ECC
                                                                                                  • Part of subcall function 6C98258A: __EH_prolog.LIBCMT ref: 6C98258F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: :hJ$dJ$xJ
                                                                                                • API String ID: 3519838083-2437443688
                                                                                                • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                                                                                • Instruction ID: 6c6558fd704dcc54c68556597b297ab749dd3e9943042996a72f891ede5ca635
                                                                                                • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                                                                                • Instruction Fuzzy Hash: E821C6B1801B40CFC760CF6AC14428ABBF4BF29708B10895EC0AA97F51D7B8A649CF95
                                                                                                Function 6C94E480 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C94E7C0,6C801DEA,00008000,6C94E7C0,?,?,?,6C94E36F,6C94E7C0,?,00000000,6C801DEA), ref: 6C94E4B9
                                                                                                • GetLastError.KERNEL32(?,?,?,6C94E36F,6C94E7C0,?,00000000,6C801DEA,?,6C957D8E,6C94E7C0,000000FF,000000FF,00000002,00008000,6C94E7C0), ref: 6C94E4C3
                                                                                                • __dosmaperr.LIBCMT ref: 6C94E4CA
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFileLastPointer__dosmaperr
                                                                                                • String ID: 8Q
                                                                                                • API String ID: 2336955059-4022487301
                                                                                                • Opcode ID: a60e450237325e48b07ad4939048debc6a474aa7ac587ee260bf273c562c9b11
                                                                                                • Instruction ID: 56364563874d10560a8d16e3a760e88af51dffc090b2ac305b384639069f4fba
                                                                                                • Opcode Fuzzy Hash: a60e450237325e48b07ad4939048debc6a474aa7ac587ee260bf273c562c9b11
                                                                                                • Instruction Fuzzy Hash: 5F01D432714515ABDB05CFA9CC45C9E7B2DEB96334B248309E8219B680EA71D9518BA0
                                                                                                Function 6C9B61B5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 6C9B61BA
                                                                                                  • Part of subcall function 6C9B6269: __EH_prolog.LIBCMT ref: 6C9B626E
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: J$0J$DJ
                                                                                                • API String ID: 3519838083-3152824450
                                                                                                • Opcode ID: ae61c101c46c5c8fb0edf6ab07ecac335665618d15e9b15e4cd2ad5cdca4aa88
                                                                                                • Instruction ID: 09a6977313e1d7dab1c068d02b949d1026e1a1f1bb9bebb7f96c77614180957c
                                                                                                • Opcode Fuzzy Hash: ae61c101c46c5c8fb0edf6ab07ecac335665618d15e9b15e4cd2ad5cdca4aa88
                                                                                                • Instruction Fuzzy Hash: 701104B1901754CFC320CF6AC5986D6FBE0FB25304F50C86E90AA87711C7B4A548CB64
                                                                                                Function 6C98ED0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: <J$DJ$HJ$TJ$]
                                                                                                • API String ID: 0-686860805
                                                                                                • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                                                                                • Instruction ID: b9d82330411dddc5321631c41773b2df8e470fd09f02d2b5abf64088dbc0e532
                                                                                                • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                                                                                • Instruction Fuzzy Hash: AF41A935C06285ABDF14DBA1D4A08EEB774AF3130CB20895DD03567E91E735E64DCBA1
                                                                                                Function 6C9DC300 Relevance: 6.3, Strings: 5, Instructions: 49COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: ,3K$,3K@3KP3K$@3K$P3K$p3K
                                                                                                • API String ID: 0-3393562052
                                                                                                • Opcode ID: 56e76445033a99da05fe192590a15bb20ec13d4a39ad9bab330bef12182d4e5a
                                                                                                • Instruction ID: f017098ebf1e1fb7e79d16ad55003259b34d18097aca42b2bc626addda24f873
                                                                                                • Opcode Fuzzy Hash: 56e76445033a99da05fe192590a15bb20ec13d4a39ad9bab330bef12182d4e5a
                                                                                                • Instruction Fuzzy Hash: C62117B1580B419FC320CF16C48978BFBF4FB15B54F50DA2ED5AA57A40C7B8A608CB98
                                                                                                Function 6C9480A2 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(00000008,?,00000000,6C94BB43), ref: 6C9480A7
                                                                                                • _free.LIBCMT ref: 6C948104
                                                                                                • _free.LIBCMT ref: 6C94813A
                                                                                                • SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6C948145
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast_free
                                                                                                • String ID:
                                                                                                • API String ID: 2283115069-0
                                                                                                • Opcode ID: d2ed59e9bf5a2674ed88b9454da11a642bc792f79100d0d6d8430e3a12986981
                                                                                                • Instruction ID: 29cbd9e030f9892c87ffffb312ca58bee955802a599929bc5add33e03bd386f7
                                                                                                • Opcode Fuzzy Hash: d2ed59e9bf5a2674ed88b9454da11a642bc792f79100d0d6d8430e3a12986981
                                                                                                • Instruction Fuzzy Hash: 5511A332314701EADB2D1A758C94DAB2269BBE66BDB25C63AF124D6BC0DF21CC055254
                                                                                                Function 6C9595AA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WriteConsoleW.KERNEL32(00000000,?,6C957DDC,00000000,00000000,?,6C958241,00000000,00000001,00000000,6C94E7C0,?,6C94F976,?,?,6C94E7C0), ref: 6C9595C1
                                                                                                • GetLastError.KERNEL32(?,6C958241,00000000,00000001,00000000,6C94E7C0,?,6C94F976,?,?,6C94E7C0,?,6C94E7C0,?,6C94F40C,6C9591A6), ref: 6C9595CD
                                                                                                  • Part of subcall function 6C95961E: CloseHandle.KERNEL32(FFFFFFFE,6C9595DD,?,6C958241,00000000,00000001,00000000,6C94E7C0,?,6C94F976,?,?,6C94E7C0,?,6C94E7C0), ref: 6C95962E
                                                                                                • ___initconout.LIBCMT ref: 6C9595DD
                                                                                                  • Part of subcall function 6C9595FF: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C95959B,6C95822E,6C94E7C0,?,6C94F976,?,?,6C94E7C0,?), ref: 6C959612
                                                                                                • WriteConsoleW.KERNEL32(00000000,?,6C957DDC,00000000,?,6C958241,00000000,00000001,00000000,6C94E7C0,?,6C94F976,?,?,6C94E7C0,?), ref: 6C9595F2
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                • String ID:
                                                                                                • API String ID: 2744216297-0
                                                                                                • Opcode ID: 2af5d6a231ddc9a158160bd4e01f5368568d3315c03e968651fdedae71ca5b5f
                                                                                                • Instruction ID: 12573f5b37d45bb91dff198b8e162703485a0f8ee8fd3784373671c422df5f0a
                                                                                                • Opcode Fuzzy Hash: 2af5d6a231ddc9a158160bd4e01f5368568d3315c03e968651fdedae71ca5b5f
                                                                                                • Instruction Fuzzy Hash: D0F08C72204219BBDF225F92CC04A993F36FB1A3A5B154010FE0985660CA32C832DB80
                                                                                                Function 6C9C6BED Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 373COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: x'K$|'K
                                                                                                • API String ID: 3519838083-1041342148
                                                                                                • Opcode ID: a25bbfd597e839604be9dc74c608115d2298b3d137bba62e84176c22df84cc64
                                                                                                • Instruction ID: 97fcd2782391fa84a5c30ea46c85a60665f823135e6b92ed09ee919a4562f579
                                                                                                • Opcode Fuzzy Hash: a25bbfd597e839604be9dc74c608115d2298b3d137bba62e84176c22df84cc64
                                                                                                • Instruction Fuzzy Hash: 32D1F830A44646DADF20DB64C850AFEBBB4BF2630CF64491DE06693DD0DB65E54AC713
                                                                                                Function 6C946814 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog3_
                                                                                                • String ID: 8Q
                                                                                                • API String ID: 2427045233-4022487301
                                                                                                • Opcode ID: 12f4f84ae8f9bee0f6b50c990212d8d06bad32f0c1b20fd8eebd01aece562f7b
                                                                                                • Instruction ID: 50def129adf711f765d909e6e95412d2ef9c32cd2ba25a943a1966f628d04101
                                                                                                • Opcode Fuzzy Hash: 12f4f84ae8f9bee0f6b50c990212d8d06bad32f0c1b20fd8eebd01aece562f7b
                                                                                                • Instruction Fuzzy Hash: 8D71F6F1D456169BEF108F95C884AEE7BB9BF55318F24C269E820E7B80EB70C845C760
                                                                                                Function 6C996C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: @$hfJ
                                                                                                • API String ID: 3519838083-1391159562
                                                                                                • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                                                                                • Instruction ID: a0cf3f17b8ec724d9990f35a4cff070842d5fb432d25afbd666b93434eea65bd
                                                                                                • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                                                                                • Instruction Fuzzy Hash: 8C912871910209DFCB54DFA9C8949DEFBB4BF28308F58451EE456E7A90D770EA48CB60
                                                                                                Function 6C98BC58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 6C98BC5D
                                                                                                  • Part of subcall function 6C98A61A: __EH_prolog.LIBCMT ref: 6C98A61F
                                                                                                  • Part of subcall function 6C98AA2E: __EH_prolog.LIBCMT ref: 6C98AA33
                                                                                                  • Part of subcall function 6C98BEA5: __EH_prolog.LIBCMT ref: 6C98BEAA
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: WZJ
                                                                                                • API String ID: 3519838083-1089469559
                                                                                                • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                                                                                • Instruction ID: 670facd55697f97b4793450f65f4151c86f99250d90c9841838ab51a40301360
                                                                                                • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                                                                                • Instruction Fuzzy Hash: 36816A31D01148DFCF15DFA8D990AEDBBB4AF28308F144499E51267BA0DB30EE49CBA0
                                                                                                Function 6C8028E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ___std_exception_destroy.LIBVCRUNTIME ref: 6C802A76
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: ___std_exception_destroy
                                                                                                • String ID: Jbx$Jbx
                                                                                                • API String ID: 4194217158-1161259238
                                                                                                • Opcode ID: 14e4b2f0121bb8a91d00a63590213aeecb39b6d7747c1a419d22914c3bb039e0
                                                                                                • Instruction ID: e93a0ad35cc392efb7d6a86e52300e43d5e219a9321926a5b57400789f22fcf1
                                                                                                • Opcode Fuzzy Hash: 14e4b2f0121bb8a91d00a63590213aeecb39b6d7747c1a419d22914c3bb039e0
                                                                                                • Instruction Fuzzy Hash: 245126B1A002048FCB20CF68C985A9EBBB5FF99304F14896DE8499B741D775E985CB91
                                                                                                Function 6C992F9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: <dJ$Q
                                                                                                • API String ID: 3519838083-2252229148
                                                                                                • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                                                                                • Instruction ID: 07dbcafd44bf86bc2ccb1c59e6ee948a567b22e92a73007c5cf8a7e7de32549e
                                                                                                • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                                                                                • Instruction Fuzzy Hash: F4519171904249EFCF10DFE9C8808EDB7B5BF59318F14852DE525ABA90D731DA89CB50
                                                                                                Function 6C98E9B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: $D^J
                                                                                                • API String ID: 3519838083-3977321784
                                                                                                • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                                                                                • Instruction ID: 797d66c0a49805bb2ea8b673d81635bb4c8be7468ef4fbeb33fa1247464d86c2
                                                                                                • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                                                                                • Instruction Fuzzy Hash: 99416F25A075A06ED7229F29C4707E8BBA96F37708F148958C49347EC1DB68D88AC7D4
                                                                                                Function 6C9A0B66 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: 8)L$8)L
                                                                                                • API String ID: 3519838083-2235878380
                                                                                                • Opcode ID: 1ee38908214ddba89c01b11f8f662c4b80f228d5f64c7dd9e77453d2deb43dcf
                                                                                                • Instruction ID: ebc1ef36ebe6e438b499c255b667386739fcbb65b1fe692996d5977bd5f9e0d0
                                                                                                • Opcode Fuzzy Hash: 1ee38908214ddba89c01b11f8f662c4b80f228d5f64c7dd9e77453d2deb43dcf
                                                                                                • Instruction Fuzzy Hash: 9D51C032601780DFDB149FA5C990ADAB7F1FF95308F50552ED19B87A60CB31B889CB54
                                                                                                Function 6C99E606 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: qJ$#
                                                                                                • API String ID: 3519838083-4209149730
                                                                                                • Opcode ID: e1f34668789bc69a62d5b524bab96a8de5a2ccca07942ae6dd88fce0d8712790
                                                                                                • Instruction ID: 444be1de235a44534e7e1c08e415b308464c2fa87da3255170777ef693199c6d
                                                                                                • Opcode Fuzzy Hash: e1f34668789bc69a62d5b524bab96a8de5a2ccca07942ae6dd88fce0d8712790
                                                                                                • Instruction Fuzzy Hash: 11518D35900249EFCF00CFA8C5809DDBBB5FF29318F188558E811A7B91D734EA09CBA1
                                                                                                Function 6C9505EE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C957DC6), ref: 6C95070B
                                                                                                • __dosmaperr.LIBCMT ref: 6C950712
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast__dosmaperr
                                                                                                • String ID: 8Q
                                                                                                • API String ID: 1659562826-4022487301
                                                                                                • Opcode ID: d70d8993be3fdc4c4e12986329b682b5d1d6b10ab09f97290070aa669e1cff34
                                                                                                • Instruction ID: c750b3d02d207c2a1d3563a4b60477ea3e6facfe5a2a861a3b32b267232b4eda
                                                                                                • Opcode Fuzzy Hash: d70d8993be3fdc4c4e12986329b682b5d1d6b10ab09f97290070aa669e1cff34
                                                                                                • Instruction Fuzzy Hash: C24169716052D5AFD711CF28CC90AAD7FA9EB8631CF989359E8948B781D371DC228B90
                                                                                                Function 6C9A812C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: X&L$p|J
                                                                                                • API String ID: 3519838083-2944591232
                                                                                                • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                                                                                • Instruction ID: a86b0b60eeddd4cae6f491556e781b0ce121b8abcf5685d3860c6d125b48f42e
                                                                                                • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                                                                                • Instruction Fuzzy Hash: 49313A316859C5DBDF08DBD8D905BB97779EB21358F200127D800A2EE2CB60DA87CA5C
                                                                                                Function 6C9A7C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: 0|J$`)L
                                                                                                • API String ID: 3519838083-117937767
                                                                                                • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                                                                                • Instruction ID: c1a683dedecccef439f42f9d73f0ec0444683fb711da562b6234dbb283b6b175
                                                                                                • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                                                                                • Instruction Fuzzy Hash: C9417131605785EFDF119FA5C490ABEBBE6FF65208F00442EE05A57B50CB31E909CB91
                                                                                                Function 6C9AACB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: __aulldiv
                                                                                                • String ID: 3333
                                                                                                • API String ID: 3732870572-2924271548
                                                                                                • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                                                                                • Instruction ID: c2aa80db4bf61d87efb1b8089318e0949e2bcd999ad744fb7ba2f4199eb2d952
                                                                                                • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                                                                                • Instruction Fuzzy Hash: 2E21A8B0A00704AFD730CFA99880B5BF6FDEB58759F10892EE186D7B40DB70D9488B65
                                                                                                Function 6C99E77E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: #$4qJ
                                                                                                • API String ID: 3519838083-3965466581
                                                                                                • Opcode ID: 84a8eb9074b6f9089a1fd02d6bcb4d7259a4313f9f2765f71615d484bdca8079
                                                                                                • Instruction ID: cdadd28c8cd999b6d5de12fe346a49d0a2fe854b34760c2af9e70fc72205c56a
                                                                                                • Opcode Fuzzy Hash: 84a8eb9074b6f9089a1fd02d6bcb4d7259a4313f9f2765f71615d484bdca8079
                                                                                                • Instruction Fuzzy Hash: B431BF35A04219DFEF10CF96C840AEE73B9BF55718F084198E81167B90D770ED05CBA1
                                                                                                Function 6C9A3906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: @$LuJ
                                                                                                • API String ID: 3519838083-205571748
                                                                                                • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                                                                                • Instruction ID: 4330d0aeccaa02769b1795c27e8819d792b4508b357e0df10081b6c7b48d8517
                                                                                                • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                                                                                • Instruction Fuzzy Hash: B7015E72E01205DACB10DFE984805AEB7B4FF65748F40C42EE569A3A41C334D945CB59
                                                                                                Function 6C951418 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 6C951439
                                                                                                • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C94DD2A,?,00000004,?,4B42FCB6,?,?,6C942E7C,4B42FCB6,?), ref: 6C951475
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1563668992.000000006C7B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C7B0000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1563639466.000000006C7B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565658033.000000006C95B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1574887326.000000006CB27000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: AllocHeap_free
                                                                                                • String ID: 8Q
                                                                                                • API String ID: 1080816511-4022487301
                                                                                                • Opcode ID: 18da7f1af16aabf9848a17df1b61856bbe33990d30dd30fe042b12ff4d134a42
                                                                                                • Instruction ID: c0cfd4a176649528932d280e71f8bfd2275f964157f060b6f20b6b78fd87260c
                                                                                                • Opcode Fuzzy Hash: 18da7f1af16aabf9848a17df1b61856bbe33990d30dd30fe042b12ff4d134a42
                                                                                                • Instruction Fuzzy Hash: A4F04C3120111166DB109E265C00F9B372C9FE3BB8F91C216E81597AC0DB30D415C091
                                                                                                Function 6C9B0180 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 6C9B0185
                                                                                                  • Part of subcall function 6C9B022B: __EH_prolog.LIBCMT ref: 6C9B0230
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: J$0J
                                                                                                • API String ID: 3519838083-2882003284
                                                                                                • Opcode ID: 5025c659522292fd6d13656942a962c3f91794ff08eea141c4429de393d252e1
                                                                                                • Instruction ID: ee8c9e62239f6c6742326326f435852a0764522156e78a397ac25d2f8ec73d98
                                                                                                • Opcode Fuzzy Hash: 5025c659522292fd6d13656942a962c3f91794ff08eea141c4429de393d252e1
                                                                                                • Instruction Fuzzy Hash: EF1190B0911B108BC3248F2AC5541D6FBF8FFA5754B40C91F94AA87A20C7B8A5488F98
                                                                                                Function 6C9ADFC7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 6C9ADFCC
                                                                                                  • Part of subcall function 6C9AD4D1: __EH_prolog.LIBCMT ref: 6C9AD4D6
                                                                                                  • Part of subcall function 6C9AC14B: __EH_prolog.LIBCMT ref: 6C9AC150
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: J$0J
                                                                                                • API String ID: 3519838083-2882003284
                                                                                                • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                                                                                • Instruction ID: a5803d0e5e260ddbcecd1169aee60db14fbba679eac613ad5262cf694eecacbb
                                                                                                • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                                                                                • Instruction Fuzzy Hash: 2501C5B1904B51CFC325CFA6C5A468AFBE0FB25708F90C95EC4A657B50D7B8A508CB68
                                                                                                Function 6C9CE434 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 6C9CE439
                                                                                                  • Part of subcall function 6C9CE4BA: __EH_prolog.LIBCMT ref: 6C9CE4BF
                                                                                                  • Part of subcall function 6C9B022B: __EH_prolog.LIBCMT ref: 6C9B0230
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: D.K$T.K
                                                                                                • API String ID: 3519838083-2437000251
                                                                                                • Opcode ID: 4bf8c15ffd7a86929b4665866baf81e9eeb815ebced635067bbf52e837154634
                                                                                                • Instruction ID: 9348f2fac1e9f44b45c7aedcf92fe5525a3fe011b34ec8cf1855435f1ffdce49
                                                                                                • Opcode Fuzzy Hash: 4bf8c15ffd7a86929b4665866baf81e9eeb815ebced635067bbf52e837154634
                                                                                                • Instruction Fuzzy Hash: 36012170911B51CFC724CF65C5142CABBF0AF29704F00C91E80AA97B40D7B8A648CB95
                                                                                                Function 6C9A0425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: 8)L$8rJ
                                                                                                • API String ID: 3519838083-896068166
                                                                                                • Opcode ID: 31b7b83379da487e0b0fee470bf6f7791c36dd68afdddb73284a070326b97c38
                                                                                                • Instruction ID: 4474afb06273584b473b373991c3834c598c4b83dde4e94104b07aca69a7b191
                                                                                                • Opcode Fuzzy Hash: 31b7b83379da487e0b0fee470bf6f7791c36dd68afdddb73284a070326b97c38
                                                                                                • Instruction Fuzzy Hash: 1FF03A76A04114EFC700CF98D949ADEBBF8FF46354F14806AF405A7211D7B8DA04CBA5
                                                                                                Function 6C9AA4CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prologctype
                                                                                                • String ID: \~J
                                                                                                • API String ID: 3037903784-3176329776
                                                                                                • Opcode ID: 46757733936a42b96b936dd1dab949ec9d96d52f22713a54e894f9e80fe70f1d
                                                                                                • Instruction ID: 87bec3b7be377f134b598fda3d17119638230e48e3284be446c114337cb58551
                                                                                                • Opcode Fuzzy Hash: 46757733936a42b96b936dd1dab949ec9d96d52f22713a54e894f9e80fe70f1d
                                                                                                • Instruction Fuzzy Hash: B5E06532B055119FEB249F89D814BDDF3A8EF64B1CF10815FA01167A51CFB1E845CA80
                                                                                                Function 6C9A6431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prologctype
                                                                                                • String ID: |zJ
                                                                                                • API String ID: 3037903784-3782439380
                                                                                                • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                                                                                • Instruction ID: 2b69257718d15a68c2a0131d2c3b6ea84de108d440f34f4f5565097cd13a2450
                                                                                                • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                                                                                • Instruction Fuzzy Hash: C9E06532605520AFEB14DB8DD90179DF7A8FF64718F10401F9412E7A45CBB1E845C681
                                                                                                Function 6C9AC0DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __EH_prolog.LIBCMT ref: 6C9AC0E0
                                                                                                  • Part of subcall function 6C9AC14B: __EH_prolog.LIBCMT ref: 6C9AC150
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID: H_prolog
                                                                                                • String ID: J$0J
                                                                                                • API String ID: 3519838083-2882003284
                                                                                                • Opcode ID: 235f570c22735095cf226f139ec23b8166c83fec4b7bd0089cfa702e7a6a385e
                                                                                                • Instruction ID: ccdbaa9d098c97021da455f69bae35b2f1919c67d72d3cf70e17d736812571b6
                                                                                                • Opcode Fuzzy Hash: 235f570c22735095cf226f139ec23b8166c83fec4b7bd0089cfa702e7a6a385e
                                                                                                • Instruction Fuzzy Hash: A4F0C4B0901B51CFC724DF69D95428ABBF0FB16708B50C91F80AA97B10D7B8A548CBA8
                                                                                                Function 6C9D24AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: @ K$DJ$T)K$X/K
                                                                                                • API String ID: 0-3815299647
                                                                                                • Opcode ID: dac98d89fb1dd2bd8a0dcac61504098bca9fe61148d739192528eb0bc1c541c2
                                                                                                • Instruction ID: d49dd6b73f5d0cf0f9798a466af8c258ddc64d003f375f1f036978d1990f9f88
                                                                                                • Opcode Fuzzy Hash: dac98d89fb1dd2bd8a0dcac61504098bca9fe61148d739192528eb0bc1c541c2
                                                                                                • Instruction Fuzzy Hash: CB91EE30604F059BDB24EE65C4587EAB3A6AF6130CF21841AD8666BB81CB35FD09C761
                                                                                                Function 6C9C7E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: D)K$H)K$P)K$T)K
                                                                                                • API String ID: 0-2262112463
                                                                                                • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                                                                                • Instruction ID: 754ab3016f749c9b05dc9a843f4f9d25728e70be75632a524e96f9b34af30918
                                                                                                • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                                                                                • Instruction Fuzzy Hash: 3051BE31A04249ABEF04DF95D880ADEB7B5AF3531CF10841AE81167F90DB71E958CBA6
                                                                                                Function 6C9E7F20 Relevance: 5.0, Strings: 4, Instructions: 27COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: (?K$8?K$H?K$CK
                                                                                                • API String ID: 0-3450752836
                                                                                                • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                                                                                • Instruction ID: 4156ad9e448f5a5e4beb6cadb89b23a64e5e3363c2d537580bd978b0426d96c3
                                                                                                • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                                                                                • Instruction Fuzzy Hash: 09F01DB06017009ED3208F15D54469BBBF8AB55749F50C91EE09A97A40D3B8E5088FA9
                                                                                                Function 6C9D0AAC Relevance: 5.0, Strings: 4, Instructions: 23COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000D.00000002.1565978298.000000006C96B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C96B000, based on PE: true
                                                                                                • Associated: 0000000D.00000002.1570118913.000000006CA36000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                • Associated: 0000000D.00000002.1570326048.000000006CA3C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_13_2_6c7b0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 00K$@0K$P0K$`0K
                                                                                                • API String ID: 0-1070766156
                                                                                                • Opcode ID: 7efb1c77604c1d1a2dcd35be8e9d5171401199da8c632a149feb581716eb9edd
                                                                                                • Instruction ID: cc08c49e7cab151d94aeeb036fe5aa8110f11b29cf5188a6292b857041db77c5
                                                                                                • Opcode Fuzzy Hash: 7efb1c77604c1d1a2dcd35be8e9d5171401199da8c632a149feb581716eb9edd
                                                                                                • Instruction Fuzzy Hash: 2DF03FB14152408FD348DF1A9598A82BFE0AF95319B56C1DED0184F276C3B9CA48CFA8